(19) 



J 



(12) 



(43) Date of publication: 

09.12.1998 Bulletin 1998/50 

(21 ) Application number: 98110336.9 

(22) Date of filing: 05.06.1998 



lilliiiiillilili 

European Patent Office 
Office europ^endes brevets (11) EP 0 883 284 A2 

EUROPEAN PATENT APPLICATION 

(51) Int. CI.6: H04N 1/32, H04L 9/32 



(84) Designated Contracting States: 


• Takaragi, Kazuo 


AT BE CH CY DE DK ESRFRGBGR IE IT LI LU 


Ebina-shi, Kanagawa-ken (JP) 


MCNLPTSE 


• Sasaki, RyolchI 


Designated Extension States: 


Fu]isawa-shl, Kanagawa-ken (JP) 


ALLTLVMKROSI 


• SusakI, Selichi 




Totsuka-ku, Yokohama-shl, Kanagawa-ken (JP) 


(30) Priority: 05.06.1997 JP 148061/97 


• Toyoshima, HisashI 


18.12.1997 JP 348860/97 


Hachioji-shi, Tokyo (JP) 




• Saito, Tsukasa 


(71) Applicant: Hitachi, Ltd. 


Suglnaml-ku, Tokyo (JP) 


Chiyoda-ku, Tokyo 101-8010 (JP) 




(74) Representative: 


(72) Inventors: 


Beetz & Partner 


• Yoshiura, Hiroshi 


PatentanwSlte 


Miyamae-ku, Kawasakl-shI, Kanagawa-ken (JP) 


Steinsdorfstrasse 10 




80538 Munchen (DE) 



(54) Digital data authentication method 

(57) This invention provides a method for identifying 
a purchaser who purchased content from which an ille- 
gal copy was produced. A provider system (100) 
encrypts a content purchased by the purchaser using a 
public key of a purchaser system (200) and sends the 
encrypted content to the purchaser system. The pur- 
chaser system 200 creates a digital signature of the 
content with the use of a private key of its own and 
embeds the created digital signature into the received 
content. When an illegal copy is found, the provider sys- 
tem 100 verifies the digital signature, embedded in the 
illegal copy as a digital watermark, to identify the pur- 
chaser who purchased the content from which the ille- 
gal copy was produced. 
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Description 

BACKGROUND OF THE INVENTION 

1 . Field of the Invention 5 

This invention relates to technology which authenti- 
cates the relation between digital data and an individ- 
uai/organization. 

10 

2. Description of Related Art 

As the information society has evolved recently, 
more and more digital data is used instead of traditional 
printed matter as communication media. Digital data is is 
sometimes sold as a valuable commodity. 

In the information society Hke this, some means are 
necessary to authenticate the relation between digital 
data and an individual/organization in order to prevent 
crimes or malicious actions including illegal copying, so 
illegal alteration, and illegal use of digital data. For 
example, to check that digital data has been provided by 
an authentic organization, some means are necessary 
to authenticate the relation between the digital data and 
the authentic organization. Similarly, to check the 25 
source of digital data or to check the individual or organ- 
ization owning the right to digital data, some means are . 
necessary to authenticate the relation between the dig- 
ital data and an individual or an organization. 

Conventionally, a technique known as a digital sig- 30 
nature has been used to authenticate the relation 
between digital data and an individual/organization. 

As described in "ANGO RIRON NYUMON (Intro- 
duction to Cryptography)", pages 133-137, Kyoritsu 
Shuppan Co., Ltd. 1 993, the digital signature technique, 35 
developed to prove the correctness of documents, com- 
bines putjlic key cipher technology with one-way func- 
tions. 

In this technology, a pair of keys, a private key S 
and a public key V which satisfy g (f (n, S) V) = n and 40 
f(g (n. V), S) = n , is created first, where n represents 
data, and f and g represent functions. These formulae 
mean that data encrypted with the private key S may be 
decrypted by with the public key V and that, conversely, 
data encrypted with the public key V may be decrypted 45 
with the private key S. It should also be noted that it Is 
virtually impossible to find the private key S from the 
puljlic key V. 

Once the private key S and the public key V are cre- 
ated, the creator passes the public key V to a partner so 
and holds the private key S privately 

When the key creator sends data to the partner, the 
creator passes data to which a digital signature is 
attached. This digital signature is created by evaluating 
data with a predetermined one-way function and then ss 
encrypting the resulting evaluation value with the private 
keyS. 

The one-way function described above can calcu- 



late an evaluation value from data, but it Is Impossible to 
virtually calculate the original data from the evaluation 
value. In addition, it is necessary for the one-way func- 
tion used in creating a digital signature to return a 
unique bit string for each piece of unique data; that is, 
the probability of the function returning the same bit 
string to two or more pieces of data must be very small. 
An example of such functions is a one-way hash func- 
tion which evaluates data and returns a bit string as the 
evaluation value of the data. The evaluation value h(D) 
calculated by the one-way hash function is called the 
hash value of D, where h is the one-way hash function 
and D Is data. 

Upon receiving data to which a digital signature is 
attached, the receiving partner evaluates the data with 
the one-way function to ofcrtain an evaluation value and 
then checks if the evaluation value matches the value 
generated by decrypting the digital signature using the 
public key V. When they match, it is verified that the dig- 
ital signature was aeated by the holder of the private 
key S corresponding to the public key V and that the dig- 
ital signature is for the data that was received. 

The technique described in "Applied Cryptogra- 
phy", John Wilsy & Sons, Inc. (1996), pp 39-41, is 
known as a technique for creating digital signatures for 
use by a plurality of persons that are attached to one 
piece of data. 

When this technique is used, not all signature crea- 
tors need to generate the hash value of data to create a 
digital signature; and instead, each of the second and 
subsequent signature creators calculates the hash 
value of the digital signature of the Immediately-preced- 
ing creator to get his or her digital signature That Is, the 
first signature creator calculates the hash value of data 
and then enaypts the resulting hash value with his or 
her own private key to get a digital signature, as 
described above. The second creator encrypts the hash 
value of the first creator's digital signature with his or her 
own private key to get a digital signature. This is 
repeated for the subsequent signature creators. That is. 
the n-th creator encrypts the hash value of the (n-l)ih 
aeator's digital signature with his or her own private key 
to obtain a digital signature. 

In this case, the digital signatures created by n sig- 
nature creators are verified as follows. The final digital 
signature is decrypted by the public key of the final (n- 
th) signature creator, the decrypted digital signature is 
then decrypted by the public key of the (n-1)th signature 
creator, and so on, until the digital signature of the first 
signature creator is decrypted. If the result obtained by 
decrypting the signature by the public key of the first sig- 
. nature creator matches the hash value of the original 
data. It Is determined that the digital signature was cre- 
ated by n signature creators each having his or her own 
public key and that the digital signature corresponds to 
the data. However, when the sequence in which the sig- 
nature creators created signatures is not known, this 
technique requires that the above process be per- 
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formed for the number of times generated by permutat- 

ing all signature creators. 

Also available for authenticating the relation 
between digital data and an individual/organization is a 
technique known as a digital watermark. s 

As described in Nikkei Electronics (1997). No. 683, 
pp. 99 - 107, this technique embeds management infor- 
mation, such as copyright information, into image data 
itself. 

The digital watermark technique has the following io 
features. Embedded data is not usually seen when 
image data containing that embedded information is 
displayed and. in addition, the image data itself dis- 
played on a screen is almost not affected by the embed- 
ded information. Removing only the embedded is 
information is difficult and, if the embedded information 
is removed accurately, the picture quality of the image 
data is significantly degraded. In general, even when 
the image data is compressed, embedded infornnation 
may be restored to some extent. 20 

A digital watermark technique which enables infor- 
mation to be embedded, not into image data, but into 
text data, drawing data (graphic data), and audio data 
has also been proposed. 

In Nikkei Electronics (1997), No. 683. pp. 99 - 107. 25 
a technique using such digital watermark for preventing 
the illegal copy of contents, which are composed of dig- 
ital data such as image data, is also described. 

This technique embeds the identification of the con- 
tents purchaser into the contents in the form of a digital 30 
watermark. When illegally copied contents are seized, 
the embedded information is extracted to Identify the 
person (that is, the purchaser) who produced the illegal 
copy 

The basic procedure for embedding purchaser's 35 
identification information is as follows: 

(1) The provider (contents provider) assigns a 
unique number to a contents purchaser. 

(2) The provider embeds the number of the con- 40 
tents purchaser into the contents in the form of a 
digital watermark. 

(3) When illegally-copied contents are found and 
seized, the provider or inspection division extracts 
the number from the contents to identify the pur- 45 
chaser. 

(4) The penalty is imposed on the purchaser for ille- 
gal copy or for lending the contents to a person who 
produced the illegal copy. 

so 

Recently a WWW (World Wide Web) systeni. com- 
posed of a WWW server program and a browser pro- 
gram, has become popular as means for providing and 
sending information to a plurality of users over an open 
network such as the Internet. As this type of WWW sys- ss 
tern has become widely used, it has become necessary 
to be able to authenticate the relation between a Web 
page, which contains digital data made available on a 



WWW server, and an individual/organization in order to 
prevent aimes or malicious actions from occuning 
through the illegal use of the WWW system. For exam- 
ple, when a Web page is guaranteed by some authentic 
organization, it is necessary to be able to authenticate 
the relation between the Web page and the organization 
to allow the user to make sure that the Web page is truly 
guaranteed. Similarly, to check the individual's or organ- 
ization' right to a Web page creator or a Web page, the 
relation between the Web page and the individual or 
organization must be able to be authenticated. 

As described in the April 1996 Issue of "OPEN 
DESIGN" (published by CQ Publishing Co.. Ltd. Issuer: 
Ryoji Gamou), pp. 4 - 22 and pp. 40 - 78, a WWW sys- 
tem features not only the easy-to-operate graphical user 
interface (GUI) but also the usability which allows the 
user to reference related information linked by hyper- 
text This WWW system has contributed to the fast 
growth of the Internet. 

The outline of a WWW system introduced by the 
publication is as follows: 

The WWW system is composed of at least one 
WWW server on which a WWW server program for pub- 
lishing information runs and at least one client terminal 
on which a browser program for browsing published 
infonmation runs. Data is transfen'ed between the WWW 
server and the client terminal via the communication 
protocol called HTTP (HyperText Transfer Protocol). 

To publish information on the WWW server, a 
server user must create a Web page containing data to 
be published. This page contains text data, image data, 
audio data, video data, and link data to other Web 
pages, ail Interconnected using a structure description 
language called HTML (Hyper Text Markup Language). 
Then, the user stores this Web page in a location (direc- 
tory) in the WWW server so that it may be accessed 
from other conrputers (client terminals or other WWW 
servers). 

To browse a published Web page from a client ter- 
minal using a browser program, a terminal user must 
type the URL (Universal Resource Locator) of the Web 
page. Then, the Web page is sent from the WWW 
server to the client terminal. The text data, image data, 
and video data of the Web page are displayed on the cli- 
ent terminal screen. Audio data, if included in the page, 
is produced from the speaker connected to the client 
terminal. 

The recent trend is that the WWW system like this 
is used not only as the communication means but also 
in business. One such application is an electronic com- 
merce system which provides the user with information 
on goods using this WWW system. 

The overview of this electronic commerce system is 
described in VYOHOSHORI (Information Processing). 
No. 9 of volume 38". pp. 752-810 (Issuer: Kouji lizuka. 
Published by Jyohoshorl Qakkai (Information Process- 
ing Society of Japan)). 

The electronic commerce system described in the 
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above-mentioned publication not only provides the user 
with information on goods but also settles accounts with 
the use of the ayptography technology, such as com- 
mon key cipher and public key cipher, and the authenti- 
cation technology such as digital signatures. In this 
system, many settlement methods, including bank set- 
tlements, aedit card settlements, or electronic money 
settlements, are used. 

In such an electronic commerce system, most ven- 
dors include into their web pages the image data, such 
as the logos of credit card companies, to allow the user 
to instantly select one of various payment methods. This 
is similar to a real-world (not a virtual world such as the 
Internet) store where the logos of the credit card com- 
panies are put up on the counter or in the show window. 

Sometimes, a Web page may also contain image 
data, such as logo marks indicating the Web page crea- 
tor or an authentic individual or organization which has 
authorized the Web page, to allow a Web page user to 
instantly ascertain who has created the Web page or 
that the Web page has been authorized by the authentic 
individual or organization. 

SUMMARY OF THE INVENTION 

The above-described digital watermark technology 
has the following problems. 

First the relation between information embedded 
as a digital watermark and an individual/organization 
indicated by the embedded information Is not always 
guaranteed. That is. it cannot be always said that the 
information ent>edded in the digital data indicates the 
relation between the individual/organization and the dig- 
ital data correctly 

For example, with the illegal copy prevention tech- 
nique described above, a number embedded in the ille- 
gally-copied contents cannot always be used as a proof 
that the illegally-copied contents were purchased by the 
purchaser corresponding to that number. That is, 
because the number was given by the provider one- 
sidedly, the purchaser may insist that the number found 
in the copy is not the one assigned to him or her. 

In the case of the Web page described above, there 
is a possibility of an illegal user forging information to 
pretend to be some other user and embedding it as a 
digital watermark or alternatively he may pretend that 
the information is guaranteed by an authentic organiza- 
tion. 

Second, the relation between digital data and an 
individual/organization indicated by the information 
embedded as a digital watermark is not guaranteed. 

For example, in the illegal copy prevention tech- 
nique described above, there Is no proof that a pur- 
chaser's number is embedded correctly in the content 
purchased by the purchaser. In other words, there is a 
possibility that a person other than the purchaser (for 
exanple, a person at the provider) has mistakenly or 
maliciously embedded the purchaser's numt)er in a con- 



tent not purchased by the purchaser. 

In the case of the Web page described above, there 
is a possibility of an illegal user extracting a digital 
watermark, embedding it in a Web page by an individ- 
5 ual/organization. and embedding it in his/her Web page 
to pretend to be the legal purchaser or to pretend that 
his/her page is guaranteed by an authentic organiza- 
tion. 

Third, when there are many copyright holders for a 
10 single content with much copyright information that 
must be embedded in it with the use of the digital water- 
mark technique, the quality of the content (image quality 
when the content is image data) is significantly 
degraded. 

15 Fourth, the digital watermark technology is not suit- 
able for digital data, such as a Web page, containing 
several types of data. For example, when the technol- 
ogy is used for digital data containing text data, drawing 
data, and image data, each type of data must be proc- 

so essed separately. 

On the other hand, the digital signature technique is 
cumbersome because digital data as well as the digital 
signatures associated with the digital data must be 
managed as a pair. In addition, digital signatures, which 

25 can be separated from digital data much easier than 
digital watermarks, cannot be used for preventing illegal 
copies. 

Another problem with digital watermarks and digital 
signatures is that because they are invisible, the digital 

30 data user cannot immediately understand the relation 
between digital data indicated by digital watermarks or 
digital signatures and an individual/organization. 

For example, digital watermarks and digital signa- 
tures do not present the user with information on the 

35 relation between a Web page and an individual/organi- 
zation in the same way as a Web page including logo 
marks as image data does. This means that digital 
watermarks and digital signatures do not directly guar- 
antee that the relation between digital data indicated by 

40 digital watermarks or digital signatures and an individ- 
ual/organization corresponds to the relation between 
digital data presented directly to the user and the indi- 
vidual/organization. 

On the other hand, a logo mark added to a Web 

45 page is image data. Therefore, it cannot be authenti- 
cated that the Web page actually contains data that is 
indicated by the relation between the logo mark and an 
individual/organization. 

Take the logo mark of a credit card company for 

50 example. Imagine that an illegal user copies the logo 
mark of a credit card company from the Web page of a 
legal agent of the company, pastes it into an appropriate 
location of the Web page of the agent owned by the ille- 
gal user, and then stores the Web page in the WWW 

55 server so that any conputer may access it. In this case, 
a consumer may judge, from the logo mark of the credit 
card company contained in the Web page of the agent 
owned by the illegal user, that the agent is legal and 
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may send data necessary for settlement, such as a 
credit card number, to that WWW server. As a result, the 
illegal user is able to obtain the credit number of the 
consumer Illegally and make an illegal profit. 

in view of the foregoing, it is an object of this inven- 
tion to provide a technique which authenticates the rela- 
tion between digital data and an individual/organisation 
more reliably It is another object of this invention to pro- 
vide a technique which directly presents the user with 
digital information on an individual/organization associ- 
ated with digital data such that the relation between the 
digital information and the individual/organization corre- 
sponds to the relation between the digital data itself and 
the individual/organization. 

To achieve the above objects, a method according 
to this invention is an embed-in-content information 
processing method for processing information embed- 
ded in a content using an electronic computer, the 
method comprising the steps of creating cryptographic 
information by encrypting specific data using a private 
key in accordance with a public key cipher system used 
by content-handling persons; and embedding the cre^ 
ated cryptographic information into the content such 
that the cryptographic information cannot be separated 
from the content without using a predetermined rule. 

Here, the description that the cryptographic infor- 
mation cannot be separated from the content without 
using the predetermined rule means that, when the pre- 
determined rule is not used, the ayptographic infomna- 
tion cannot be separated by a method other than the 
trial-and-enror method. 

In this method, the cryptographic Information is 
extracted from the content containing the cryptographic 
information for use in decrypting with the use of a public 
key paired with the private key used by the content-han- 
dling persons, and then the decrypted result is verified 
to check if it matches the specific data. If the content in 
which the cryptographic information is embedded is an 
illegal copy, the content-handling person of the content 
from which the illegal copy was created may be identi- 
fied. 

In this case, this determination is made by verifying 
information embedded in the illegal copy wherein the 
information depends on the private key known only to 
the content-handling person of the content and may be 
created only by the content-handling person of the con- 
tent. This makes clear the correspondence between the 
information embedded in the illegal copy and the con- 
tent-handling person of the content from which the ille- 
gal copy was created. 

The cryptographic information embedded in the 
content may be a value dependent on the content into 
which the cryptographic information is to be embedded. 
For example, the value may be a digital signature gen- 
erated by encrypting the hash value of the content. This 
value makes even clearer the correspondence between 
the information embedded in the illegal copy and the 
content-handling person of the content from which the 



illegal copy was created. 

To achieve the above object, this invention is an 
embed-in-content information processing method for 
embedding information on k (k is an Integer equal to or 
5 larger than 2) content-handling persons using an elec- 
tronic conputer, the method comprising the steps of 
embedding a digital signature into the content such that 
the digital signature cannot be separated from the con- 
tent without using a predetermined rule, the digital sig- 
10 nature being created by enaypling an n-bit hash value 
using a private key in accordance with a public key 
cipher system used by a first content-handling person, 
the n-bit hash value being obtained by evaluating the 
content with a first hash function; and sequentially 
15 repeating digital signature embedding for a second per- 
son to a k-th content-handling person, wherein, for an i- 
th content-handling person (i is an integer between 2 
and k), the content into which the digital signatures of 
the first to an (i-l) icontent-handling persons are ertibed- 
20 ded is evaluated with a second hash function, wherein a 
resulting ny2-bit hash value is encrypted using the pri- 
vate key of the i-th content-handling person to generate 
the digital signature of the l-th content-handling person, 
and wherein the digital signature of the i-th content-han- 
25 dling person is embedded into the content in which the 
digital signatures from the first to the )th persons are 
already embedded such that the digital signature of the 
i-th content-handling person cannot be separated from 
the content without using a predetermined rule. 
30 This method allows the k person's digital signatures 
to be embedded into the content using 
n + (k-1) * n/2 bits, with little effect on the security. 

This Invention is also an embed-in-content informa- 
tion processing method for embedding information on k 
35 (k is an integer equal to or larger than 2) content-han- 
dling persons using an electronic computer, the method 
comprising the steps of creating a digital signature of a 
first content-handling person by encrypting a hash value 
using a private key in accordance with a public key 
40 cipher system of the first content-handling person, the 
hash value being created by evaluating the content with 
a first hash function; sequentially repeating digital sig- 
nature creation for a second person to a k-th content- 
handling persons to create the digital signatures of the 
45 content-handling persons; and embedding the digital 
signature of the k-th content-handling person into the 
content such that the digital signature cannot be sepa- 
rated from the content without using a predetermined 
rule, the digital signature being obtained by performing 
50 the digital signature creation for the k-th content-han- 
dling person, wherein, during the digital signature crea- 
tion processing for an i-th content-handling person (i is 
an integer between 2 and k). a value dependent on the 
digital signature of the (i-)th content-handling person is 
55 encrypted using the private key of the i-th content-han- 
dling person to generate the digital signature of the (i- 
1)th content-handling person. According to the embed- 
in-content information processing method, when the 
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value determined by the value of the digital signature is 
n bits long, embedding only n-bit data into the content 
enables information for verifying k content-handling per- 
sons to be embedded into the content. 

To achieve the alxwe object, this invention is an 
information authentication method managed by a man- 
ager trusted by both an information publisher and an 
information browser, wherein the information publisher 
adds multimedia data to information published by the 
information publisher in such a way that the multimedia 
data may be validated and wherein the information 
browser checks the validity of the information according 
to whether or not the multimedia data Is validated. 

In this method, the information is validated, for 
example, by the manager, who is contacted by all partic- 
ipants, validating multimedia data added to the informa- 
tion. 

More specifically, a user who browses a Web page 
determines its validity according to whether the man- 
ager authenticates the validity of the image data pasted 
in the Web page, that is. whether the image data is 
valid, and whether the manager authenticates the fact 
that the image data is pasted in the Web. 

In this method, when the multimedia data is vali- 
dated, the information may be presented to the informa- 
tion browser as necessary. For example, when the 
image data is determined to iDe valid in the above Web 
page, the information may be filtered so that the Web 
page may be displayed. 

To achieve the above objects, this invention pro- 
vides a method for creating authenticatable digital data 
including authentication data for authenticating the dig- 
ital data using an electronic computer, the method com- 
prising the steps of generating mark data recognizable 
by a user when the user uses the digital data; generat- 
ing watermark-embedded mark data wherein specific 
information is embedded as a digital watermark into the 
mark data; and including the watermark-embedded 
mark data into the digital data to generate the authenti- 
catable digital data. 

In this method, the specific information may be a 
hash value generated by evaluating the digital data with 
a predetermined hash function. 

The specific information may also be a digital signa- 
ture generated by encrypting an evaluation value, gen- 
erated by evaluating the digital data with a 
predetermined function, with a private key according to 
predetermined public key cipher. 

According to those methods, the mark may be vali- 
dated with the information embedded In the watermark- 
embedded mark data. The hash value embedded as the 
digital watermark may be used to authenticate that the 
mark is given to the digital data. The digital signature 
embedded as the digital watermark may be used to 
authenticate the validity of an individual/organization 
which guarantees the mark. 

This invention also provides a plurality of systems 
for realizing the methods. 



For example, this invention provides a content dis- 
tribution system comprising a distribution system out- 
putting a content to be distrbuted and a content 
receiving system receiving the distributed content, 

5 wherein the distribution system comprises encrypting 
means for encrypting a content to be distributed and 
wherein the receiving system connprises decrypting 
means for decrypting a distributed content; signature 
creating means for creating cryptographic infornnation 

10 by encrypting specific data using a private key in 
accordance with a public key cipher system used by a 
user of the receiving system; and signature embedding 
means for embedding the created cryptographic infor- 
mation into the content such that the cryptographic 

15 information cannot be separated from the content with- 
out using a predetermined rule. 

This invention also provides a content distribution 
system wherein the decrypting means, the signature 
creating means, and the signature embedding means 

20 are configured such that decrypting cannot be per- 
formed by the decrypting means before the crypto- 
graphic information is created and enr^edded by the 
signature creating means and the signature embedding 
means and wherein it is difficult to modify the receiving 

25 system such that decrypting is performed by the 
decrypting means before the cryptographic information 
is created and embedded by the signature creating 
means and the signature embedding means, respec- 
tively. 

30 This invention also provides a content distribution 
system wherein the encrypting means of the distribution 
system encrypts the content using the public key of the 
user of the receiving system and the decrypting means 
of the receiving system decrypts the content encrypted 

35 using the private key of the user of the distributton sys- 
tem. 

These content distribution systems may have a ver- 
ification system comprising signature extracting means 
for extracting cryptographic information from the content 

40 in which ayptographic information is emt>edded and 
signature verifying means for verifying that a result 
obtained by decrypting the extracted cryptographic 
information using a public key used by content-handling 
persons matches the specific data. 

45 In these content distribution systems, the signature 
CTeating means of the receiving system may use infor- 
mation containing a decrypted-content-dependent 
value as the specific data and may use a digital signa- 
ture which the receiving system user has for the content 

50 as the cryptographic information, the digital signature 
being generated by encrypting the specific data using 
the private key in accordance with the public key cipher 
system used by the receiving system user. 

This invention also provides a data processing sys- 

55 tem used to attach a signature to a content. This system 
comprises digital signature creating means for calculat- 
ing a hash value by evaluating the content with a hash 
function and then encrypting the calculated hash value 
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with a private key of a user of the data processing sys* 
tern in accordance with the public key cipher system 
used by the user to generate a digital signature; and 
digital watermark aeating means for embedding the 
created digital signature into the content as a digital 5 
watennark. 

This invention also provides a system comprising a 
generation system which generates authenticatabie 
digital data and an authentication system which authen- 
ticates authenticatabie digital data, wherein the genera- 10 
tion system conprises means tor generating mark data 
recognizable by a user when a user uses the digital 
data; means for generating watermark-en^edded mark 
data into which specific information is embedded as a 
digital watermark; and means for including the water- 15 
mark-embedded mark data into the digital data to gen- 
erate the authenticatabie digital data and wherein the 
authentication system comprises means for extracting 
the mark data from the authenticatabie digital data; 
means for extracting from the extracted mark data the 20 
predetermined information included as the digital water- 
mark; and means for authenticating the digital data 
based on the extracted information. 

More specifically, the authenticatabie digital data is 
a Web page containing mark data. Based on the infor- 25 
mation embedded in the mark data as the digital water- 
mark, the authentication system authenticates the Web 
page as well as the contents output by the mark data 
when the Web page is browsed. In this case, note that 
the individual/organization which generates the authen- 30 
ticatable digital data need not be the individual/organi- 
zation which publishes this Web page. In this case, the 
individual/organization, which generates the Web page 
containing the authenticatabie digital data according to 
a request from the individual/organization which pub- 35 
lishes the Web page, may also create that Web page. 

This invention also provides a recording medium 
including therein a program to be run by an electronic 
computer to execute the methods described above. 

For example, this invention provides a computer- 40 
readable medium having stored therein a program 
which causes an electronic computer to perform a pro- 
gram comprising the steps of generating mark data rec- 
ognizable by a user when the user uses the digital data; 
generating watermark-embedded mark data into which 45 
specific Information is embedded as a digital water- 
mark; and including the watermark-embedded mark 
data into the digital data .to generate the authenticatabie 
digital data. 

50 

BRIEF DESCRIPTION OF THE DRAWINGS 

FIG. 1 is a block diagram showing the configuration 
of a content distribution system used in a first embodi- 
ment of this invention. ss 

FIG. 2 Is a block diagram showing the configuration 
of a provider system and a purchaser system used in 
the first embodiment of this invention. 



FIG. 3 is a diagram showing the general configura- 
tion of an electronic computer system used in the first 
invention of this invention. 

FIG. 4 is a flowchart showing the processing steps 
of content distribution of the first embodiment of this 
invention. 

FIG. 5 is a flowchart showing the processing steps 
of content distribution of the first embodiment of this 
invention. 

FIG. 6 is a flowchart showing the processing steps 
of content distribution of the first enibodiment of this 
invention. 

FIG. 7 Is a block diagram showing the configuration 
of a second content distribution system used in a sec- 
ond emtxxiiment of this invention. 

FIG. 8 is a block diagram showing the configuration 
of a provider system and a right-hokder system used in 
the second embodiment of this invention. 

FIG. 9 is a diagram showing tiie outline configura- 
tion of an autiientication system of a fourth embodiment 
of this invention. 

FIG. 10 is a block diagram showing the hardware 
configuration of a consumer terminal used in the fourth 
embodiment of this invention. 

FIG. 11 is a block diagram showing tiie hardware 
configuration of a vendor terminal used In tiie fourtii 
embodiment of this invention. 

FIG. 12 is a block diagram showing the hardware 
configuration of a WWW server used in the fourtfi 
embodiment of this invention. 

FIG. 13 is a block diagram showing the hardware 
configuration of a management server used in the fourtii 
embodiment of tiiis invention. 

FIG. 14 is a flowchart showing the operation of the 
authentication system used In the fourth embodiment of 
this invention. 

FIG. 15 is a diagram showing the contents of the 
mark management DB used in the fourth embodiment 
of this invention. 

FIG. 16 is a block diagram showing tiie outline con- 
figuration of an autiientication system used in the fifth 
embodiment of this invention. 

FIG. 17 is a block diagram showing the hardware 
configuration of a consumer terminal used In the fifth 
embodiment of this invention. 

FIG. 18 is a block dia^am showing the hardware 
configuration of a mark management server used in the 
fifth embodiment of this invention. 

FIG. 19 is a flowchart showing the operation of the 
authentication system used in the fiftii embodiment of 
this invention. 

FIG. 20 is a diagram showing the contents of tiie 
mark n^nagement DB used in the fifth embodiment of 
this invention. 

FIG. 21 is a ftowchart showing the operation of a 
mark management server used in a sixtii embodiment 
of this invention. 

FIG. 22 is a flowchart showing the operation of a 
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consumer terminal used in the sixth embodiment of this 
invention. 

FIG. 23 is a flowchart showing the operation of a 
mark management server used in a seventh embodi- 
ment of this invention. 5 

FIG. 24 is a flowchart showing the operation of a 
consumer terminal used in the seventh embodiment of 
this invention. 

FIG. 25 is a block diagram showing the hardware 
configuration of the consumer terminal used in the io 
eighth embodiment of this invention. 

FIG. 26 is a block diagram showing the hardware 
configuration of a mark management server used in the 
eighth embodiment of this invention. 

FIG. 27 is a block diagram showing the hardware is 
configuration of a vendor terminal used in the eighth 
embodiment of this invention. 

FIG. 28 is a flowchart showing the operation of a 
mark management server used in the eighth embodi- 
ment of this invention. 20 

FIG. 29 is a flowchart showing the operation of a 
consumer terminal used in the eighth embodiment of 
this invention. 

DETAILED DESCRIPTION OF THE PREFERRED 25 
EMBODIMENTS 

The following describe some embodiments of this 
invention. 

Rrst a first embodiment, "a second embodiment, 
and a third embodiment which authenticate the relation 
between digital data and an individual/organization 
more reliably are desaibed. 

First the first embodiment will be described. 

The first embodiment explains an example of 
authentication of the relation between digital data and 
an individual/organization. More specifically, the 
embodiment explains an example of authentication of 
the relatiCHfi between a content, one type of digital data, 
and a content purchaser, one type of Individual/organi- 
zation, in order to prevent the content from being copied 
illegally. However, it should be noted that the individ- 
ual/organization need not always be a content pur- 
chaser. Depending upon the situation In which this 
embodiment is used, the first enfibodiment may be mod- 
ified such that the individual/organization is a content 
copyright holder, a content vendor, a content whole- 
saler, or some other related person. In addition, in this 
embodiment and in the second and third embodiment 
that will be described later, the content is assumed to be 
image data. These embodiments may also be modified 
so that the content may contain other types of data, 
such as text data, drawing data, audio data, or video 
data. 

FIG. 1 shows the configuration of a content distribu- 
tion system used In this embodiment. 

As shown in the figure, the content distribution sys- 
tem comprises a plurality of provider systems 100, each 



distributing digital data contents, and a plurality of pur- 
chaser systems 200 each receiving distributed con- 
tents. 

Contents and other types of information are trans- 
ferred between the provider systems 100 and the pur- 
chaser systems 200 over a network 10 to which the 
provider systems 100 and the purchaser systems 200 
are connected. However, the network 10 is not always 
necessary Contents and other types of information, 
stored on a storage medium such as a floppy disK may 
also be transported or mailed between the provider sys- 
tem 100 and the purchaser system 200. 

FIG. 2 shows the configuration of the provider sys- 
tem 100 and the purchaser system 200. 

As shown in the figure, the provider system 100 
comprises a processing module 110 and a storage 
module 1 20. The processing module 110 comprises an 
input/output module 111 which performs input/output 
operations, a conti'ollihg module 112 wNch controls tiie 
components of the provider system 100. a signature 
extracting module 1 13 which extracts a digital signature 
from a content containing the digital signature, a signa- 
ture verifying module 114 which verifies a digital signa- 
ture, an encrypting module 115 which encrypts a 
content, and a sending/receiving nxxiule 116 which 
sends or receives data to or from each purchaser sys- 
tem 200. The storage module 120 stores contents 121 
and verification keys 122. Note tiiat the verification key 
122 corresponds to the public key explained in Descrip- 
tion of Related Art. 

As shown in figure, the purchaser system 200 com- 
prises a processing module 210 and a storage module 
220. The processing module 210 comprises an 
input/output module 211 which performs input/output 
operations, a controlling module 212 which controls the 
components of the purchaser system 200, a send- 
ing/receiving module 213 which sends or receives data 
to or from tiie provider system 1 00. a decrypting module 
214 which decrypts an encrypted content, a signature 
generating module 215 which generates a digital signa- 
ture, a signature embedding module 216 which embeds 
a digital signature into a content and a key generating 
module 217 which creates a signature key (private key) 
and a verification key (public key). The storage module 
220 stores signature key 221 and signature-embedded 
contents 222. Note that the signature key 221 conre- 
sponds to the private key explained in Description of 
Related Art. 

As shown in FIG. 3, the provider system 100 and 
the purchaser system 200 may be built into an elec- 
tronic conputer system with a standard configuration 
where a CPU 301 , main storage 302, an external stor- 
age unit 303b which is a hard disk, an external storage 
unit 303a which Is not a hard disk, a communication 
control unit 304. an input unit 305 such as a keyboard or 
a pointing device, and an output device 306 such as a 
display unit are provided. 

The processing module 1 10 of the provider system 
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100 and the components of the processing module 110 
are processes implemented in the electronic computer 
system when the CPU 301 executes a program loaded 
into the main storage 302. In this case, the main storage 
302 and the external storage units 303a and 303b are 5 
used as the storage module 120 of the provider system 
100. Similarly, the processing module 210 of the pur- 
chaser system 200 and the components of the process- 
ing module 210 are processes implemented in the 
electronic computer system when the CPU 301 exe- to 
cutes a program loaded into the main storage 302. In 
this case, the main storage 302 and the external stor- 
age units 303a and 303b are used as the storage mod> 
ule 220 of the purchaser system 200. 

A program for creating the provider system 1 00 and is 
the purchaser system 200 in an electronic computer 
system is loaded into the main storage 302 for execu- 
tion by the CPU 301 . The program is pre-recorded on 
the external storage unit 303b and is loaded, as neces- 
sary, into the main storage 302 for execution by the CPU 20 
301. Alternatively, the program is pre-recorded on a 
portable recording medium 307 such as a CD-ROM disc 
and is loaded directly, as necessary, via the external 
storage unit 303a for execution by the CPU 301. It is 
also possible that the program is installed from the port- 25 
able recording medium 307 via the external storage unit 
303a used for portable recording medium onto the 
external storage unit 303b such as a hard disk and is 
loaded, as necessary, into the main storage 302 for exe- 
cution by the CPU 301. 30 

The following explains in detail a sequence of oper- 
ations of the provider system 100 and the purchaser 
system 200 in time sequence, from content distribution 
to illegal copy detection. 

First, before a content is distributed, the key gener- 35 
ating module 21 7 generates a signature key and a veri- 
fication key under control of the controlling module 212 
of the purchaser system 200. TTiese keys are generated 
In the same way as the conventional private key and 
public key In the following description, the private key is 40 
called the signature key. and the public key is called the 
verification key. 

Next, the key generating module 217 stores the 
generated signature key in the storage module 220 and, 
at the same time, passes the generated verification key 45 
to the controlling module 212. Upon receiving the verifi- 
cation key, the controlling module 212 sends it to the 
provider system 100 via the sending/receiving module 
213. In the provider system 100, the verification key is 
received by the sending/receiving module 116 and is so 
stored in the storage module 120. 

After the above operation, the provider system 100 
sends a content to the purchaser system 200 as follows. 

The controlling module 112 works with the 
input/output module 1 11 to accept the content to be dis- 55 
tributed and stores it in the storage module 120. Then, 
as shown in FIG. 4. the controlling module 1 12 controls 
the encrypting module 1 1 5 to encrypt the stored content 



121 with the use of the verification key 122 stored in the 
storage module 120 (step 401) and sends the 
encrypted content to the purchaser system 200 via the 
sending/receiving module 116 (step 402). 

The purchaser system 200 performs the following 
operation when It receives the encrypted content. 

As shown in FIG. 5, the controlling module 212 tells 
the decrypting module 214 to decrypt the encrypted 
content, received by the sending/receiving module 213. 
using the signature key stored in the storage module 
220 (step 501) and then asks the signature generating 
module 215 to generate the digital signature of the 
decrypted content using the signature key stored in the 
storage module 220 (step 502). 

To generate the digital signature, the signature gen- 
erating module 21 5. calculates the 160-bit hash value of 
the decrypted content using a predetermined one-way 
hash function and then encrypts the resulting 160-bit 
hash value using the signature key stored in the storage 
module 220. 

Once the digital signature is generated, the control- 
ling module 212 tells the signature embedding module 
216 to embed the digital signature into the decrypted 
content inseparably according to a predetermined rule 
(step 503) and stores then the signature-embedded 
content in the storage module 220. The digital signature 
is embedded, for example, by the digital watermark 
technique explained in Description of Related Art 

Now. assume that the purchaser has created an 
illegal copy of the content which is stored in the storage 
nfKxJule 220 and into which the digital signature is 
embedded (without an appropriate authority to create a 
copy) and has transferred the created copy to a third 
party. As explained in Description of Related Art, the 
purchaser cannot remove the digital signature, which is 
embedded in the content, for example, in the form of a 
digital watermark, from the content. That is, the pur- 
chaser cannot create a complete but illegal copy which 
has no digital signature embedded. 

When the illegally-copied content in which the dig- 
ital signature is embedded is seized, the provider sys- 
tem 100 performs the following to Wentlfy the purchaser 
who created the illegal copy. 

That is, as shown in FIG. 6, the controlling module 
1 1 2 of the provider system 1 00 works with the input/out- 
put module 111 to store the illegally-copied content in 
the storage module 120 and then tells the signature 
extracting module 113 to extract the digital signature 
from the illegally-copied content (step 601). Note that 
the storage module 120 of the provider system 100 con- 
tains the original content (with no digital signature 
embedded) of the illegally-copied content. This allows 
the signature extracting module 113 to find the differ- 
ence between the original content and the illegally-cop- 
ied content and therefore to extract the digital signature. 
If it Is possible, the digital signature may be extracted 
according to the rule by which the digital signature was 
embedded into the content. 
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Next, the controlling module 112 tells the signature 
verifying module 114 to verify the digital signature (step 
602). To do so, the signature verifying module 114 
decrypts the extracted digital signature using the verifi- 
cation key 122 of a user stored in the storage module 
120 and compares the resulting value with the hash 
value obtained by evaluating the original content in the 
storage module 120 with the use of the same one-way 
hash function as that used by the purchaser system 
200. If the rule used by the purchaser system 200 to 
embed the digital signature into the content is Known 
only to the provider and if the digital signature may be 
removed from the content according to that rule, the 
content from which the digital signature is removed nnay 
be used Instead of the original content 

If the hash value obtained by evaluating the original 
content matches the value of the deaypted digital sig- 
nature, it is determined that the illegal copy was created 
by the purchaser corresponding to the verification key 
used in decrypting the digital signature. If not, the digital 
signature extracted from the illegal copy is decrypted 
with the use of the verification key of some other pur- 
chaser and a check is made to see if the decrypted 
value matches the hash value of the original content. 

The first embodiment of this invention is as 
described above. 

If. in the above embodiments the purchaser system 
200 only decrypts a content received from the provider 
system 100 but does not embed a digital signature into 
it, the purchaser is able to obtain the content with no 
purchaser information embedded. In this case, the pur- 
chaser cannot be identified from an illegal copy of the 
content 

To avoid this, the above-described controlling mod- 
ule 212 is configured to perform kx>th content decryption 
and digital signature creation/embedding. Hardware 
protection and software protection are used to ensure 
that these two will always be paired. More specifically, 
the provider provides the purchaser with a program 
designed to perform both digital signature creation and 
digital signature embedding. The system is designed to 
allow only this program to decrypt a content sent from 
the provider system 100. Also, to prevent this program 
from being modified, this program is designed to have 
some means for protecting it against modification- 
Decryption and digital signature creation/embed- 
ding may also be canried out. not by the CPU 301 of the 
electronic computer shown in FIG. 3, but by a provider- 
supplied IC card which is protected against modifica- 
tion. In this case, upon receiving an enaypted content 
from the computer, the IC card which is connected to 
the computer returns the content in which digital signa- 
ture is embedded- 

A hardware unit specifically designed to protect 
against modification may also be used. 

As mentioned above, in order to identify the pur- 
chaser who created an illegal copy, the first embodiment 
uses a signature key (private key) which is known only 



to the purchaser and performs verification using infor- 
mation which may be created only by the purchaser. 
Therefore, information embedded in an illegal copy is 
more useful in identifying the purchaser who created the 

5 illegal copy In addition, because a digital signature 
based on a content-dependent hash value is embed- 
ded, the correspondence between the purchaser and 
the content is more clearly understood. 

Provided that embedded information is integrated 

10 into the content inseparably, data known to the provider 
system 100 and purchaser system 200 may also be 
used instead of a digital signature based on a content- 
dependent hash value. For ^mple, a digital signature 
based on the hash value of text data, such as a pur- 
rs chaser's name, may be used. 

The following describes the second embodiment of 
this invention: 

The second and third embodiments explain an 
example of authentication of the relation between digital 

20 data and individuals/organizations More speciftoally. 
the embodiments explain an example of authentication 
of the relation between a content, one type of digital 
data, and a plurality of content copyright holders, one 
type of individual/organizations, in order to display the 

25 plurality of copyright holders of the content. However, it 
should be noted that the plurality of individuals/organi- 
zations need not always be a plurality of content copy- 
right holders. Depending upon the situation in which the 
second embodiment and the third embodiment which 

30 will be described later ai e'used, the embodiments may 
be modified such that the individuals/organizations are 
a plurality of content purchasers, a plurality of content 
vendors, a plurality of content wholesalers, or a combi- 
nation of different types of individuals/organizations. 

35 The second embodiment relates to a distribution 
content creation system which creates a distribution 
content in which a plurality of digital signatures of hold- 
ers, such as a plurality of copyright holders, are embed- 
ded. 

40 FIG. 7 shows the configuration of the distribution 
content creation system. 

As shown in the figure, the distribution content cre- 
ation system comprises one or a plurality of provider 
systems 100, each distributing contents, and a plurality 
45 of right-holder systems 700 used by right holders. Con- 
tents and other types of information are transferred 
between the provider systems 100 arKi the right-holder 
systems 700 over a network 10 to which the provider 
system 100 and the right-holder systems 700 are con- 
so nected. However, the network 10 is not always neces- 
sary. Contents and other types of information, stored on 
a storage medium such as a floppy disk, may also be 
transported or mailed between the provider system 100 
and the right-holder system 700. In addition, the pro- 
55 vider system 100 used in this distribution content aea- 
tion system may function also as the provider system 
1 00 in the content distribution system shown in FIG. 1 to 
combine two systems into one. 
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FIG. 8 shows the configuration of the provider sys- 
tem 100 and the right-holder system 700. 

As shown in the figure, the provider system 100 has 
the same configuration as that of the provider system 
shown 100 in FIG. 2, and the right-holder system 700 s 
has the same configuration as that of the purchaser sys- 
tem 200 shown in FIG. 2. Like the systems in the first 
embodiment, both the provider system 100 and the 
right-holder system 700 may be implemented on an 
electronic computer such as the one shown in FIG. 3. io 

In the distribution content system like this, a distri- 
bution content in which a plurality of signatures of right 
holders are embedded is created as described below. 

Assume that the signature key and the verification 
key of the provider system 100 have already been gen- is 
erated and that the verification key of the provider sys- 
tem 100 has been distributed to each right-holder 
system. Also assume that each right-holder system 700 
encrypts a content or various types of information using 
the verification key of the provider system 100 before 20 
sending them to the provider system 100 and that the 
provider system 100 decrypts received information 
using the signature key of the provider system 100. The 
encryption configuration and decryption configuration of 
information sertt from each right-holder system 700 to 25 
the provider system 100 are omitted in FIG. 7, because 
they are the same as those of information sent from the 
provider system 100 to the right-holder system 700 or to 
the purchaser system 200. 

In this situation, before creating a content to be dis- 30 
tributed, a key generating module 717 in the right-holder 
system 700 generates a signature key and a verification 
key under control of a controlling module 712. These 
keys are generated in the same way as the conventional 
private key and public key are generated. 35 

"Next, the key generating module 717 stores the 
generated signature key in a storage module 720 and, 
at the same time, passes the generated verification key 
to the controlling module 712. The controlling module 
712 sends this verification key to the provider system 40 
100 via a sending/receiving module 713. The provider 
system 1 00 receives the verification key via the send- 
ing/receiving module 116 and stores it in the storage 
module 120. 

After the above processing, the provider system 45 
100 sequentially sends a content to the right-holder sys- 
tems 700 of all right holders, one right-holder system at 
a time, and sends the content returned from each right- 
holder system to the right-holder system 700 of the next 
right holder. so 

The controlling module 112 works with the 
input/output module 111 to accept a distribution con- 
tent, stores it in the storage module 120, asks the 
encrypting module 115 to encrypt the stored content 
121 using the verification key 122. which is sent from 55 
the right-holder system 700 to which the content is to be 
sent and which is stored in the storage module 1 20, and 
sends the encrypted content to the right-holder system 



700 via the sending/receiving module 116. When the 
content encrypted using the verification key of the pro- 
vider system 100 is returned from the right-holder sys- 
tem 700. the provider system 100 decrypts it using the 
verification key of the provider system 100, encrypts the 
content using the verification key of the next right-hoWer 
system 700 to which the content is to be sent, and 
sends it to the next right-holder system 700. When 
sending the content, an instruction to use an abbrevi- 
ated digital signature is sent to the right-hokiers system 
700 other than the first one. 

On the other hand, the right-holder system 700 
which receives the encrypted content from the provWer 
system 100 performs the following. 

The controlling module 712 tells a decrypting mod- 
ule 714 to decrypt, the encrypted content received via 
the sending/receiving module 713 using the signature 
key stored in the storage module 720, and tells a signa- 
ture generating module 715 to generate a digital signa- 
ture using the signature key of the decrypted content 
stored in the storage module 720. 

To generate the digital signature, the 160-bit hash 
value of the decrypted content is calculated using a pre- 
determined one-way hash function and the resulting 
i 60-bit hash value is encrypted using the signature key 
stored in the storage module 720. If an instruction to use 
an abbreviated digital signature is attached to the 
received content an 80-bit hash value is calculated and 
then enaypted using the signature key stored in the 
storage module 720 to create a digital signature. 

When the digital signature is generated, the control- 
ling module 712 tells a signature embedding module 
716 to embed the digital signature into the decrypted 
content inseparably according to a predetermined rule. 
Embedding is carried out, for exanple, with the digital 
watermark technique described in Description of 
Related Art. The content into which the digital signature 
is embedded is then returned to the provider system 
100 via the sending/receiving module 713. 

As a result, the final content, in which the digital sig- 
natures are embedded in the sequence as described 
below, is returned from the last right-holder system 700 
to the provider system 100. 

Let the content. D, in which the i-th right holder's 
signature is embedded, be represented as Fi (D). Then, 
the first right holder embeds the digital signature, which 
is the 160-bit hash value of the original content, into the 
content to create FI (D). The second right holder 
embeds the digital signature, which is the 80-bit hash 
value of the content in which the first right holder's dig- 
ital signature is embedded, to create F2 (FI (D)). This 
process Is repeated, and the n-th right holder embeds 
the digital signature, which is the 80-bit hash value of 
the content in which the first to the (n-1)th right holder's 
digital signatures are embedded, into the content to cre- 
ate Fn (Fn-1 ( (F2(F1(D))...). 

A content to be distributed by the provider system 
100 is the content returned from the last right holder. 
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The sequentially-arranged digital signatures of all right 
holders are embedded in that content. 

As described above, in the second embodiment, 
the number of bits of the hash value used by the second 
and the subsequent right holders is half the number of 
the hash value of the first right holder. This is because 
forging a content in which a digital signature Is embed- 
ded is nnore difficult than forging a content in which no 
digital signature is embedded. Therefore, the number of 
bits of the hash value of digital signature of the second 
and the subsequent right holders may be reduced to 
half that of the first right holder with no effect on the 
security. That is, the security is maintained as if the 160- 
bit hash value was used for the digital signatures of all 
right holders. 

Verification of the content in which digital signatures 
are embedded is carried out as in the first embodiment. 

Next, the third embodiment of this invention will be 
described. 

The third embodiment is a modification of the digital 
signature embedding method for right holders which 
was described in the second embodiment 

That is, in the third embodiment, the first right 
holder encrypts the content sent from the provider to 
generate a digital signature as in the second embodi- 
ment. However, unlike the second embodiment, the 
right-holder system 700 of the first right holder does not 
embed the digital signature in the content but returns 
the digital signature to the provider system 100. The 
provider system 1 00 receives the digital signature of the 
first right holder and sends it to the right-holder system 
700 of the second right holder. The second right-holder 
system 700 encrypts the hash value of the first right 
holder's digital signature to generate a digital signature. 
This process is repeated for the subsequent right hold- 
ers. The right-holder system 700 of the second and the 
subsequent right holders encrypts the hash value of the 
previous right holder's digital signature to generate his 
own digital signature. 

When the provider system 100 receives the digital 
signature from the right-holder system 700 of the last 
right holder, it embeds the digital signature into the orig- 
inal content, for example, as a digital watermark 

Instead of embedding the digital signature, the pro- 
vider system 100 may send the original content to the 
right-holder system 700 of the last right holder to ask it 
to embed the final digital signature into the content and 
to send it back to the provider. 

Digital signature embedding may also be carried 
out as follows. That is, the right-holder system 7O0 of 
the first right holder embeds a digital signature, created 
by encrypting the hash value of the content, into the 
content , and sends the content to the next right-holder 
system 700 via the provider system 100. The right- 
holder systems 700 of the second and the subsequent 
right holders each extract the previous right holder's dig- 
ital signature from the content in which the digital signa- 
ture is embedded, enaypts the hash value of the 



extracted digital signature to create the digital signature 
of his own. and embeds the created digital signature 
into the original content received from the provider sys- 
tem 100. Alternatively, each of the right-holder systems 

5 700 replaces the previous right holder's digital signa- 
ture, embedded in the content, with the digital signature 
of his own. The right-holder system 700 then sends the 
content, in which his digital signature is embedded, to 
the next right-holder system 700 via the provider system 

10 100. 

Verification of digital signatures embedded in the 
content is carried out as described in Applied Cryptog- 
raphy, John Wilsy & Sons, inc. (1996), pp 39 - 41 . refer- 
enced in Description of Related Art. Note that the digital 

15 signature of the last right-holder is extracted from the 
content into which the digital signature was embedded. 

The third embodiment of this invention is as 
described above. 

In the second and third embodiments, the size of 

20 the hash value used for the digital signatures of the sec- 
ond and the subsequent right holders is half that of the 
digital signature used for the first right holder, or the dig- 
ital signature of the second and subsequent right hold- 
ers is created from the digital signature of the previous 

25 right holder. This makes it possible to embed the digital 
signatures of a plurality of right hokiers, preventing the 
quality of content data from being degraded. Provided 
that embedded information is integrated into the content 
inseparably, data known to the provider system 100 and 

30 right-holder system 700 may aiso be used instead of a 
digital signature based on a content-dependent hash 
value. For example, a digital signature based on the 
hash value of text data, such as a purchaser's name, 
may be used. 

35 The following describe fourth to eighth embodi- 
ments. In these embodiments, the relation between dig- 
ital data and an irKJividual/organization can be 
authenticated and, at the same time, Information on the 
individual/organization is presented directly to a user so 

40 that the user can authenticate the relation between dig- 
ital data and the individual/organization. 

In the fourth to eighth embodiments, the following is 
assumed: the digital data is a Web page, the individ- 
ual/organization whose relation with the Web page is to 

45 be authenticated is a credit card company, and a vendor 
uses the logo mark of the credit card company in the 
Web page, isbte that this is an example. Depending 
upon the situation, the individual/organization whose 
relation with the Web page is to be authenticated may 

50 be any individual/organization other than a credit card 
company; for example, it may be a Web page creator or 
any individual/organization which approves the relation 
with the Web page (for example, a Web page evaluation 
or recommendation organization). Similariy. the vendor 

55 in the example may be replaced with a Web page pro- 
vider who uses the logo mark of an individual/organiza- 
tion whose relation with the Web page is to be 
authentkiated. 
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In the fourth to eight embodiments, digital data is 
directly presented to the user with the use of the logo 
mark (image data) of an individual/organization whose 
relation with the digital data is to be authenticated. This 
presentation object may take another form that may be 5 
sensible to the user when the user uses the digital data. 
For example, text data, drawing data, audio data, and 
video data may be used. Alternatively, the presentation 
object need not be an object which directly represents 
an individuai/organization whose relation with the digital 10 
data is to be authenticated; for example, a mark repre- 
senting the digital data evaluation result produced by an 
individual/organization may be used. 

First, the fourth emlxxliment will be described. 

F!Q. 9 shows the configuration of an authentication is 
system used in tiie fourth embodiment. 

As shown in the figure, the authentication system is 
used by a plurality of consumers 1100-1 to 1100-n 
(hereafter, also called consumer 1 1 00) who buy goods, 
a vendor 1110 who sells goods, and a mark manager 20 
1 120 who manages various types of mark. As shown in 
FIG. 9. a plurality of consumer terminals 1101-1 to 
1101-n (hereafter, also called a consumer terminal 
1101), a vendor terminal 1112, a WWW server 1113. 
and a mark management server 1122 are intercon- 25 
nected via a communication network 1140 such as the 
Internet. The mark manager 1 1 20 is an authentic organ- 
ization available for use by all mark owners (such as 
vendor 1110) in this system. Note that the mark owner 
may also act as the mark manager 1 120. In this case, 30 
the vendor terminal 1112. WWW server 1 1 1 3. and mark 
management server 1122 may share tiie same 
machine. 

The consumer terminal 1101 is a terminal used by 
the consumer 1 1 00. The consumer terminal 1 1 01 has a 35 
display unit 1102 on which document data or image 
data is presented to the consumer 1100 and an input 
unit 1103-1 or 1103-2 (hereafter, also sinrply called an 
input unit 1103) through which the consumer 1100 
enters data and instructions. The consumer 1 1 00 trans- 40 
fers data to or from the vendor 11 10 or the mark man- 
ager 1120 via the consumer terminal 1101 and 
communication network 1 140. 

The vendor temiinal 1 1 12 is a terminal used by the 
vendor 11 10. Thevendor 1110 usesthe vendor terminal 45 
1 1 1 2 to create a Web page of a store 1111 that is nian- 
aged by the vendor or to transfer data to or from the 
mark manager 1120. 

The WWW server 1113, which is a server on which 
a later-described WWW server program 1407b runs, so 
sends a Web page stored in a Web page DB 1 1 14 when 
accessed by a later-described browser program 1204b 
via the consumer terminal 1101. The Web page which is 
sent is displayed on the display unit 1102 on the con- 
sumer terminal 1101. ss 

The mark management server 1 122 sends a mark 
upon request from the vendor 1110. In addition, upon 
request from the consumer 1100. the server 1112 



checks the validity of the mark (that is, checks if the 
mark was sent from the nrark management server 1 122 
to the vendor 1110 before the request was received) 
and sends the result back to the consumer 1 1 00. 

N©ct, the consumer terminal 1101, tiie WWW 
server 1113, and the mark management server 1122. 
which are comprised in the authentication system of the 
fourtii embodiment, are described. 

FIG. 10 shows the hardware configuration of the 
consumer terminal 1101. 

As shown in FIG. 10, the consumer terminal 1101 
used in ttie forth emtxxliment comprises the display unit 
1102. tiie input unit 1103, a communication interface 
1201, a storage unit 1202, a central processing unit 
(CPU) 1203, and a temporary storage unit (memory) 
1204, all interconnected by a bus 1200. 

The display unit 1 102, used to display messages for 
the consumer 1100 who uses tiie consumer terminal 
1 101 , is composed of a CRT, a liquid crystal display, and 
so forth. 

The input unit 1 103, used by ttie consumer 1 100 on 
tiie consumer terminal 1101 to enter data or instruc- 
tions, is composed of a keyboard, mouse, and so forth. 

The communicatk>n interface 1201 is an interface 
through which data is transferred to or from tiie WWW 
server 1 1 13 or mark management sender 1 122 via the 
communication network 1140. 

The storage unit 1202, usually a hard disk unit or 
floppy disk unit, permanentiy stores the programs and 
data to be used by the consumer tenninal 1 1 01 . 

The CPU 1203 integrally controls the components 
of the consumer terminal 1101 and performs various 
types of operation. 

The memory 1204 temporarily contains the pro- 
grams used by ttie CPU 1203 to perform the above 
processing. These programs include an operating sys- 
tem 1204a (hereafter also called OS 1204a), the 
browser program 1 204b. and a validity check program A 
1204c. 

The OS 1 204a performs the file management, proc- 
ess management, or device management functions for 
all consumer terminals 1101. 

The browser program 1204b allows the consumer 
terminal 1101 to communication witii the WWW server 
1 1 13 to download Web pages from the Web page DB 
1114. 

The validity check program A 1204c allows the con- 
sumer terminal 1101 to communicate with tine mark 
management server 1122 to check the validity of the 
mark attached to the Web page downloaded from the 
WWW server 1113. 

FIG. 1 1 shows Vne hardware configuration of the 
vendor terminal 1112. 

As shown in FIG. 11. the vendor terminal 1112 
used in ttie fourth emlxxliment comprises a display unit 
1301, an input unit 1302, a communication network 
interface 1303, a storage unit 1304. a centi-al process- 
ing unit (CPU) 1305. and a temporary storage unit 
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(memory) 1306, all interconnected by a bus 1300. 

The display unit 1 301 , used to display messages for 
the vendor 1110 who uses the vendor terminal 1 1 12 Js 
composed of a CRT, a liquid crystal display, and so 
forth. 

The input unit 1302. used by the vendor 1110 on 
the vendor terminal 1 1 1 2 to enter data or instructbns, is 
composed of a keyboard, mouse, and so forth. 

The communication interface 1303 is an interface 
through which data is transferred to or from the WWW 
server 1 1 13 or mark management server 1 122 via the 
communication network 1 140. 

The storage unit 1304. usually a hard disk unit or 
floppy disk unit, permanently stores the programs and 
data to be used by the vendor terminal 1112. 

The CPU 1305 integrally controls the components 
of the vendor terminal 1112 and performs various types 
of operation. 

The memory 1306 temporarily contains the pro- 
grams used by the CPU 1305 to perform the above 
processing. These programs include an OS 1306a, a 
Web page creation program 1306b, and mark acquisi- 
tion program 130iSc. 

. The OS 1 306a performs the file management, proc- 
ess management, or device management functions for 
the whole vendor terminal 1 1 12. 

A Web page creation program 1306b communi- 
cates with the WWW server 1113 when the vendor 
1110 creates a Web page and stores the created Web 
page in the Web page DB 1 1 14. 

A mark acquisition program 1306c allows the ven* 
dor terminal 1112 to communicate with the mark man- 
agement server 1122 to acquire a mark to be pasted 
into a Web page. 

FIG. 12 shows the hardware configuration of the 
WWW server 1113. 

As shown in FIG. 12, the WWW server 1113 used 
in the fourth embodiment comprises a display unit 1 40 1 , 
an input unit 1402, a communication network interface 
1403, a Web page DB interface 1404. a storage unit 
1405. a central processing unit (CPU) 1406, and a tem- 
porary storage unit (memory) 1407, all interconnected 
by a bus 1400. 

The display unit 1401 , used to display messages for 
the vendor 1110 who uses the WWW server 1113, is 
composed of a CRT, a liquid crystal display, and so 
forth. 

The input unit 1402, used by the vendor 1110 on 
the WWW server 1 1 13 to enter data or instructions. Is 
composed of a keyboard, mouse, and so forth. 

The communication interface 1 403 is an interface 
through which data is transferred to or from the con- 
sumer terminal 1101 or vendor terminal 1112 via the 
communication network 1 140. 

The Web page DB interface 1404 Is an interface 
through which data is transferred to or from the Web 
page DB 1114. 

The storage unit 1405, usually a hard disk unit or a 



floppy disk unit, pemianently stores the programs and 
data to be used by the WWW server 1113. 

The CPU 1406 integrally controls the components 
of the WWW server 1 1 1 3 and performs various types of 

5 operation. 

The memory 1407 temporarily contains the pro- 
grams used by the CPU 1406 to perform the above 
processing. These programs include an OS 1407a and 
a WWW server program 1407b. 

10 The OS 1 407a performs the file management, proc- 
ess management, or device management functbns to 
control the whole WWW server 1113. 

The WWW server program 1407b communicate 
with the vendor terminal 1112 and stores received Web 

15 pages in the Web page DB 1114. It also sends Web 
pages from the Web page DB 1 1 1 4 when a request Is 
issued from the browser program 1204b running on the 
consumer terminal 1101. 

FIG. 13 shows the hardware configuration of the 

20 mark management server 1 1 22. 

As shown in FIG. 13, the mark management se'ver 
.1122 used in the fourth embodiment comprises dis- 
play unit 1 501 , an input unit 1502. a communication i^ei- 
work interface 1503. a mark management DB intenface 

25 1504. a storage unit 1505. a centra! processing unit 
(CPU) 1506, and a temporary storage unit (memory) 
1507. all interconnected by a bus 1500. 

The display unit 1 501 , used to display messages for 
the mark manager 1120 who uses the mark manage- 
so ment sen/er 1 122, is composed of a CRT, a Ikjukl ays- 
tal display, and so forth. 

The input unit 1502. used by the mark manager 
1120 on the mark management server 1122 to enter 
data or instructions, is composed of a keyt)oard, mouse, 

35 and so forth. 

The communication interface 1503 is an interface 
through which data is transferred to or from the con- 
sumer terminal 1101 or vendor terminal 1112 via the 
communication network 1140. 

40 The mark management DB interface 1504 is an 
interlace through which data is transferred to or from a 
mark management DB 1123. The mark management 
DB 1123 is used for mark management and contains 
data on mark types, mark expiration periods, vendor ID 

45 information, URLs of vendor's Web pages, and so forth 
in such a format as is shown in FIG. 1 5. It is apparent in 
FIG. 15 that, when no expiration period Is provided for 
marks or when the mark manager 1 120 issues only one 
type of mark, the corresponding items (expiration period 

50 and mark type) need not be managed. 

The storage unit 1505, usually a hard disk unit or a 
floppy disk unit, permanently stores the programs and 
data to be used by the mark management server 1 122. 
The CPU 1506 integrally controls the components 

55 of the mark management server 1 1 22 and perfonms var- 
ious types of operation. 

The memory 1507 temporarily contains the pro- 
grams used by the CPU 1506 to perform the above 
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processing. These programs include an OS 1507a and 
a mark management program A 1 507b. 

The OS 1507a performs the file management, proc- 
ess management, or device maniagemenl functions to 
control the whole mark management server 1122. 

Upon receiving a mark-send request from the ven- 
dor terminal 1112. the mark management program A 
1507b checks the vendor 1 1 10 to see if a mark is to be 
sent and. if the mark is to be sent, sends the mark man- 
aged in the mark management DB 1123 to the vendor 
mo. When the consumer terminal 1 101 sends a mark 
validity check request, the mark management program 
A 1507b references the mark management DB 1 123 to 
check the validity of the mark and returns the result 

Next, the operation of the authentication system 
used in the fourth embodiment will be explained. 

FIG. 14 shows a series of operations that are per- 
formed when the vendor 1110 receives a mark from the 
mark manager 1 120, the vendor 1110 pastes the mark 
in the Web page lor publication, and then the consumer 
1 100 browses the Web page and checks the validity of 
the Web page. The figure shows the operation of each 
person: consumer 1100, vendor 1110. and mark man- 
ager 1120. 

In FIG. 14, the consumer 1100 uses the consumer 
terminal 1101. and the vendor 1110 uses the vendor 
terminal 1112 and the WWW server 1113. The mark 
manager 1120 uses the mark management server 
1122. 

First, the vendor 1110 sends a mark-send request, 
specifying the URL of his own Web page and a mark 
type, to the mark manager 1 120 (step 1600). 

Upon receiving the request, the mark manager 
1 120 determines whether or not the mark specified by 
the mark type requested by the request is to be sent to 
the vendor 1 110 (step 1601) and, if the mark manager 
1 120 determines to do so. updates the mark manage- 
ment DB 1123 (step 1602) and sends the mark to the 
vendor 1110 (step 1603). If the mark manager 1120 
determines not to do so, he sends the message stating 
this fact to the vendor 1110. In the fourth embodiment, 
whether or not to send the mark depends on whether 
the vendor 1110 has a right to get the mark, that is 
whether the store of the vendor 1 1 10 is an agent of the 
credit card company corresponding to the requested 
logo mark. Depending upon the situation in which the 
mark is used, other criteria may be used. 

When the vendor 1110 receives the marK he cre- 
ates a Web page in which the mark is pasted (step 
1604), sets in the mark the link to the mark manager 
1 120 (step 1605), and stores the Web page in the Web 
page DB 1 1 14 for access by the consumer 1 100 (step 
1606). 

Next, the consumer 1 1 00 sends a Web page send 
request, including the URL of the above-described Web 
page, to the vendor 1110. (step 1607) 

Upon receiving the request, the vendor 1110 
searches the Web page DB 1 1 14 for the Web page cor- 



responding to the requested URL (step 1608) and 
returns it to the consumer 1 100 (step 1609). 

Upon receiving the Web page, the consumer 1 100 
displays it (step 1610) and then dicks the mark pasted 
5 on the displayed Web page (step 1 61 1) in order to send 
the validity check request, including the URL of the Web 
page, to the mark manager 1 120 (step 161 1). If. at that 
time, the validity check request cannot be sent to the 
mark manager 1 120 because link to the mark manager 
10 1 120 is not specified for the mark, the consumer 1 100 
determines that the validity of the mark cannot be con- 
firmed (i.e., the mark is invalid) and ends processing. 

When the mark manager 1120 receives the 
request, he searches the mark management DB 1123 
15 to check if the mark has already been sent to the vendor 
1110 specified by the URL in the request and, if the 
mark has already been sent, checks that the mark has 
not yet expired (step 1612). The mark manager 1120 
then sends one of the following three results to the con- 
20 sumer 1 1 00 (step 1 61 3) : <1 >The mark has not yet been 
issued to the vendor 1110 specified by the U RL; (2 )The 
mark has already been issued to the vendor 1110 spec- 
ified by the URL but has already expired; (3 )The mark 
has already been issued to the vendor 1110 specified 
25 by the URL and the mark has not yet expired. 

Finally, processing ends when the consumer 1100 
confirms the above result (step 1614). 

In the above procedure, the validity check result 
infonmation is sent to the consumer 1 100 in the form of 
30 the balloon message, saying "Valid", displayed on the 
display unit 1102 as shown in FIG. 9 (or "Invalid". 
"Expired", "Link invalid"). Other display methods may be 
used. Sounds may be used, or sounds and display mes- 
sages may be combined. 
35 In the fourth embodiment, the mark manager 1 120 
sends a mark to only the vendor 1110 which is eligiljle 
to receive the mark, with the mark related information 
(ID of the vendor 1 1 10 to which the mark was sent, URL 
of the Web page, expiration status of the mark) man- 
40 aged in the mark management DB 1 1 23. In addition, the 
mark manager 1120 references the mark management 
DB 1 123 to check if the mark has already been sent to 
the vendor 1110 specified by the URL included in the 
valWity check request that was sent from the consumer 
45 1 100. If the mark has already been sent, the mark man- 
ager checks that the mark has not expired and informs 
the consumer 1 100 of the result. 

The consumer 1100 uses the link information 
stored in the mark pasted in the Web page to contact 
so the mark manager 1 120 and to confirm the validity of 
the mark. If the link to the mark manager 1 1 20 is not set 
up con^ectly and therefore the valicfity check request 
cannot be sent to the mark manager 112O. the con- 
sumer 1 100 determines that the mark is not validated 
55 (invalid mark). 

Therefore, in the fourth embodiment, if an illegal 
vendor copies the mark from the Web page of a legal 
vendor into his own Web page , the validity of the mark 
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cannot be checked during the validity check because 
the mark management DB 1123 managed by the mark 
manager does not contain a record indicating that the 
mark was sent to the Web page of the illegal user. As a 
result, the consumer 1100 who browses the vendor's 
Web page can check the validity of the information indi- 
cated by the mark pasted in the Web page. 

In the fourth embodiment, the validity check is trig- 
gered by the consumer 1 1 00 clicking on the mark. The 
embodiment may be modified so that the validity check 
is triggered automatically when the Web page Is 
received, it may also be modified so that the Web page 
is displayed when the mark is validated. 

In the description of the fourth embodiment, the 
vendor terminal 1112 and the WWW server 1113 are 
separate machines, l-icwever. they may be the same 
machine. 

The fifth embodiment will be described below. 

FIG. 16 sliows the configuration of an authentica- 
tion system used in the fifth embodiment 

The configuration of the authentication system 
used in the fifth embodiment is basically the same as 
that shown in FIG. 9, except that public keys DB 1801-1 
to 1801-n (hereafter called public key DB 1801) are 
each connected to consumer terminals 1800-1 to 1800- 
n (hereafter called consumer terminal 1800). 

The public key DB 1801 . like the one shown in FIG. 
20. is used for management of the pubic keys of mark 
manager 1 120. These public keys are used for verifying 
digital signatures (hereafter also called signature) gen- 
erated by mark manager 1 120. 

FIG. 17 shows the hardware configuration of the 
consumer terminal 1800 used In the fifth embodiment. 

The hardware configuration of the consumer termi- 
nal 1800 used in the fifth enrtodiment is basically the 
same as that shown in FIG. 10, except that a public key 
DB interface 1900 is provided and that a validity check 
program B 1902 is stored in and run from a memory 
1901. 

The public key DB Interface 1900 is an interface via 
which data is transfenred to or from the public key DB 
1801. The validity check program B 1902 communi- 
cates with a mark management server 1810 to get the 
public key of the nriark manager 1 1 20 and to validate the 
mark containing the signature pasted in the Web page 
downloaded from the WWW server 1113. 

FIG. 18 shows the hardware configuration of the 
mark management server 1810 used in this embodi- 
ment. 

The hardware configuration of the mark manage- 
ment server 1810 used in the fifth embodiment is basi- 
cally the same as that shown in FIG. 13. except that a 
validity check program B 1 1001 is stored in and run from 
a memory 11000. 

The validity check program B 11001 performs the 
following two operations: (1) when a public key send- 
request is received from the consumer terminal 1800. 
the program sends the public key (2) when a mark 



send-request is received froni the vendor terminal 1112, 
the program checks the vendor 1 110 to see if the mark 
should be sent and, if the mark should be sent, creates 
a digital signature by using the private key for the data 

5 indicating the URL of the Web page of the vendor 1110. 
creates a signature-containing mark by combining the 
digital signature with the mark managed In the mark 
management DB 1123. and then sends the signature- 
containing mark to the vendor 1110. The digital signa- 

10. ture may be combined with the mark means, for exam- 
ple, by embedding the digital signature, in the form of a 
digital watermark, into the mark using the above- 
described digital watermark technique. The digital 
watermark technique allows information to be embed- 

75 ded with little change on the Image data. The digital 
watermark technique may be used to embed informa- 
tion into a mark because it is one type of image data. 
Because there are several types of digital watermark 
(for example, for color images, monochrome images, or 

20 binary images), information may be embedded into var- 
ious types of mark Another method, if available, may 
also be used to embed information into the mark. Note 
that when a digital watermark is used, the mark may be 
deformed a little provided the mark can be appropriately 

25 identified (the logo mark of each credit company may be 
uniquely Identified). 

Public key cipher system used for signatures 
include a system using prime factorizing or an ellipse 
curve. 

30 Next, the operation of the authentication system 
used in the fifth embodiment will be described. 

FIG. 19 shows a series of operations that Is per- 
formed in this embodiment. In the series of operations, 
the consumer 1 1 00 gets the public key of the mark man- 

35 ager 1 120, the vendor 1110 receives a mark from the 
mark manager 1 1 20 and pastes the mark in the Web 
page for publication, and then the consumer 1100 
browses the Web page and checks the validity of the 
Web page. The figure shows the operation of each per- 

40 son: consumer 1 100, vendor 1110, and mark manager 
1120, 

In FIG. 19, the consumer 1 100 uses the consumer 
terminal 1 800, the vendor 1110 uses the vendor termi- 
nal 1112 and the WWW server 1113, and the mark 
45 manager 1120 uses the mark management server 
1810. 

Rrst, the consumer 1100 sends a public key send 
request to the mark manager 1 120 (step 1 1 100). 

Upon receiving the request, the mark manager 
so 1 120 (step 11101) returns his own public key to the con- 
sumer 1 100 (step 1 1 102). 

The consumer 1100. who receives the public key 
from the mark manager 1120. stores the public key in 
the public key DB 1801 (step 1 1 103). 
55 Next, the vendor 1110 sends a mark-send request, 
specifying the URL of his own Web page and a mark 
type, to the mark manager 1 120 (step 1 1 104). 

Upon receiving the request, the mark manager 
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1 120 determines whether or not the mark specified by 
the mark type contained in the request is to be sent to 
the vendor 1110 (step 1 1 1 05) and, if the mark manager 
1120 determines to do so, he generates a signature 
using the URL data specified by the request and the pri- 5 
vate key. and combines the generated signature with 
the mark specified by the mark type to generate a signa- 
ture-containing mark (step 11106). The mark manager 
1120 then sends the generated signature-containing 
mark to the vendor 1110. (step 1 11 07). H the mark man- w 
ager 1120 determines not to send the mark, he sends 
the message stating this fact to the vendor 1 1 10. In this 
embodiment, whether or not the mark to be sent 
depends on whether the vendor 1110 has a right to 
obtain the marK that is whether the store is an agent of 15 
the credit card company corresponding to the requested 
logo mark, as in the fourth embodiment. Depending 
upon the situation in which the mark is used, other aite- 
ria may be used. 

When the vendor 1110 receives the mark, he ere- 20 
ates a Web page in which the signature-containing 
mark is pasted (step 1 1108). and stores the Web page 
in the Web page DB 1 1 14 for access by the consumer 
1100 (step 11109). 

Next, the consumer 1 1 00 sends a Web page send 2S 
request, including the URL of the above-described Web 
page, to the vendor 1 1 1 0 (step 1 1 1 1 0) . 

Upon receiving the request, the vendor 1110 
searches the Web page DB 1 1 1 4 for the Web page cor- 
responding to the requested URL (step 11111) and so 
returns it to the consumer 1 1 00 (step 11112). 

Upon receiving the Web page, the consumer 1100 
displays it (step 1 1 1 13) and then clicks on the signature- 
containing mark pasted on the displayed Web page 
(step 1 1 1 1 4) in order to verify the signature contained in 35 
the signature-containing mark using the public key of 
the mark manager 1120 stored in the public key DB 
1801 and the URL data of the Web page (step 11115). 
Depending upon whether the signature is correctly veri- 
fied, the consumer 1100 checks the validity of thesigna- 40 
ture-corrtaining mark and ends processing (step 
11116). 

In the above procedure, the validity check result 
information is sent to the consumer 1100 in the form of 
the balloon message, saying "Valid", displayed on the 45 
display unit 1102 as shown in FIG. 16 (or "Invaiki", 
"Necessary public key missing"). Other display methods 
may be used. Sounds may be used, or sounds and dis- 
play messages may be combined. 

In the above fifth embodiment, the mark manager so 
1120 sends the signature-containing mark only to the 
vendor 1110 who is eligible to accept the signature-con- 
taining mark. The URL of the Web page of the vendor 
1 110 is used as an element for generating the signa- 
ture-containing mark. ss 

The consumer 1100 verifies the signature con- 
tained in the signature-containing mark pasted in the 
Web page using the pubtk: key of the mark manager 



1 120 and the URL data of the Web page. 

Therefore, when an illegal user copies a signature- 
containing mark from the Web page of an agent and 
pastes it into his own Web page, the URL of the Web 
page of the illegal user does not match the URL con- 
tained in the signature and so the mark cannot be vali- 
dated during validity check processing. As a result, the 
consumer 1 100 browsing the Web page of the vendor 
1 1 10 can validate the infonmation indicated by the mark 
pasted in the Web page. 

In the fifth embodiment, the validity check is trig- 
gered by the consumer 1 100 clicking the mark. As in the 
fourth embodiment, this embodiment may be modified 
so that the validity check is triggered automatically 
when the Web page is received. It may also be modified 
so that the Web page is displayed when the mark is val- 
kJated. 

In this embodiment, the vendor 1110 gets the mark 
and then the consumer 1100 gets the public key. This 
sequence may be reversed. However, when the con- 
sumer 1100 gets the public key before accessing the 
Web page in step 1 1 1 10 as in the fifth embodiment, the 
public key need not be obtained each time the Web 
page is accessed. 

In the description of the fifth embodiment, the ven- 
dor terminal 1 1 1 2 and the WWW server 1 1 1 3 are sepa- 
rate machines. However, they may be the same 
machine. 

In the fifth emlxxiiment, a signature is created only 
for the URL data of the Web page. The signature may 
also be created for the image data used as a mark. This 
prevents the vendor 1110 from creating a mark contain- 
ing a forged signature by retrieving only the signature 
from the signature-containing mark received from the 
mark manager 1 120 and combining the retrieved signa- 
ture with the mark of some other credit card company, 
thus ensuring safety In addition, the vendor 1110 may 
previously aeate a Web page in which the mark is to be 
pasted and may send the Web page to the mark man- 
ager 1 120 with a mark send request so that the digital 
signature is created for the Web page. This prevents the 
signature-containing mark from being pasted on the 
other Web page. That is, the signature-containing mark 
can be used for presenting the contents of the Web 
page. Therefore, this niKxlif icatk>n is suitable for a sys- 
tem in which the contents of a Web page must be guar- 
anteed by some authentic person. 

In addition, a signature and a mark are combined 
into a signature-containing mark in the fifth embodi- 
ment. The embodiment may be modified so that the 
vendor 1110 may previously create a Web page Into 
which the mark is to be pasted and may send the cre- 
ated Web page to the mark manager 1120 with the 
mark-send request. In this case, the mark manager 
1 120 may add filtering data, created based on the Web 
page contents, to the signature-containing mark as the 
attribute information. 

This allows only some specific Web pages to be f il- 
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tered for display. For example, only the Web pages in 
which recommendation marks issued by some Web 
page evaluation organization are pasted and which are 
valid may be filtered. To do so, a filtering program must 
be installed on the consumer terminal 11 01 in advance. 
This program has the filtering setup function which 
allows the consumer 1 100 to specify the type of mark to 
be displayed on the display unit 1102 of the consumer 
terminal 1101 and the filtering execution function which 
allows the consumer 1 100 to specify not to display the 
other marks. This may also be applied to a system 
through which the user can filter out Web pages not to 
be presented to children because they include violent 
scenes. 

The programs stored in the terminals and servers 
used in the fourth and fifth enribodiments usually run 
under control of the operating system controlling the 
unit and, through the operating system, transfer data 
and command to and from the hardware components of 
the unit. Of course, the programs may transfer data and 
command with the hardware components directly, not 
via the operating system. 

. As described above, in the fourth and fifth embodi- 
ments, a user who browses a Web page can correctly 
validate information indicated by image data pasted in 
the Web page. 

A sixth embodiment of this invention will now be 
described. 

The configuration of an authenticatbn system used 
in the sixth embodiment is basically the same as that of 
the authentication system explained in the fourth 
enit)odiment (FIG. 9 to FIG. 13) except that the validity 
check program A 1 204c in the memory 1204 of the con- 
sumer terminal 1101 is replaced by the validity check 
program C, that the mark management program A 
1507b in the memory 1507 of the mark management 
server 1122 is replaced by the n^rk management pro- 
gram C, and that the mark acquisition program in the 
memory 1306 of the vendor terminal 1112 is replaced 
by the mark acquisition program C. 

The operation of the authentication system used in 
the sixth embodiment will be described bebw. 

Rrst the mark acquisition program C running on 
the vendor terminal 1112 sends a mark-send request, 
as well as his own Web page data, to the mark manage- 
ment server 1122. 

Upon receiving the request, the mark nnanagement 
program C running on the mark management server 
1 122 checks if a mark should be sent to the vendor 
1110 on the vendor terminal 1112 from which the 
request was sent and. if It is determined that the mark 
should be sent performs processing shown in FIG. 21 . 

That is. the server 1122 reads a mark 2709 and a 
predetermined information 2708 to be embedded into 
the mark 2709 {for example, text to be presented to a 
mark management organization 1121) from the mark 
management DB 1123 and embeds the predetermined 
infomiation 2708 into the mark 2709 as a digital water- 



mark (step 2705). The server 1 122 then modifies Web 
page data 271 1 sent with the mark-send request so that 
a mark 2710 into which the digital watermark was 
embedded is displayed in the Web page (step 2706), 

5 and sends modified Web page data 2712 to the mark 
acquisition program C running on the vendor terminal 
1112 (step 2707). 

The mark acquisition program C stores, via the 
WWW server 1113, the Web page data sent from the 

TO mark management server 1 122 into the Web page DB 

1114. 

After that, when a request Is entered from the con- 
sumer 1 100 via the browser program 1204b, this Web 
page Is sent to the consumer terminal 1101 and dls- 

15 played on the display unit 1 1 02. 

On the other hand, the validity check program C 
running on the consumer terminal 1101 checks the 
validity of the Web page when the consumer 1100 
enters a request (for example, when the consumer 

20 dicks the mark). 

That is, as shown in FIG. 22. the program first 
extracts a mark 2909 from a Web page 2908 to check its 
validity (step 2905). extracts information 2910 embed- 
ded in the extracted mark 2909 as a digital watermark 

25 (step 2906), and displays the extracted information on 
the display unit 1 1 02 (step 2907). 

Information necessary to extract the information 
2910. embedded as the digital watermark, from the 
extracted mark 2909 should be obtained in advance 

30 from the mark management sen/er 1122 (for example, 
the original mark into which the watermark shown in 
step 271 0 of Fig. 21 is not yet embedded, or information 
identifying algorithm to restore the information 2910 by 
using difference data between the original mark and the 

35 extracted mark 2909). To do so. the validity check pro- 
gram C is designed to send a validity check confirma- 
tion information request to the mark management 
server 1 122 as requested by the consumer 1 100, and 
store information received in response to the request in 

40 the memory 1204 or in the storage unit 1202. The mark 
management program C running on the mark manage- 
ment server 1 1 22 Is also designed to send the required 
information back to the consumer terminal 1101 in 
response to the validity check confirmation information 

45 request. 

The sixth embodiment of this invention Is as 
described above. 

In this embodiment, a mark In which a digital signa- 
ture is embedded is pasted Into a Web page instead of 
50 a simple mark. This type of mark enables the authenti- 
cation of the relation between the Web page and the 
individual/organization to be validated correctly. The 
Web page also contains a mark showing the related 
individual/organization. Because the mark, usually dis- 
ss played in the Web page, is used to autheinticate the rela- 
tion between the Web page and the 
individuai/organization indicated by the mark, the sixth 
embodiment does not affect the appearance of the Web 
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page. 

A se\^en!h embodiment of this invention will be 
described below. 

The configuration of an authentication system used 
in the seventh embodiment is basically the same as that 
of the authentication system explained in the fourth 
embodiment (FIG. 9 to FIG. 13) except that the validity 
check program A 1204c in the memory 1204 of the con- 
sumer terminal 1101 is replaced by the validity check 
program d, that the mark management program A 
1507b in the memory 1507 of the mark management 
server 1 122 is replaced by the mark management pro- 
gram d, and that the mark acquisition program 1 306c In 
the memory 1306 of the vendor ternninal 1112 is 
replaced by the mark acquisition program d. 

The operation of the authentication system used in 
the seventh embodiment will now be described below. 

First, the mark acquisition program d running on the 
vendor terminal 1112 sends a mark-send request, as 
well as his own Web page data, to the mark manage- 
ment server 1122. 

Upon receiving the request, the mark management 
program d running on the mark management server 
1122 checks if a mark should be sent to the vendor 
1110 on the vendor terminal 1112 from which the 
request was sent and. if it is determined that the mark 
should be sent, performs processing shown in FIG. 23. 

That is. the server 1122 calculates the hash value 

2306 of the Web page data 2305 sent with the mark- 
send request (step 2301) and embeds, as a digital sig- 
nature, the calculated hash value 2306 into the mark 

2307 stored in the mark management DB 1123 (step 
2302). The server 1122 then modifies Web page data 
2305 sent with the mark-send request so that a mark 

2308 into which the digital watermark was embedded is 
displayed in the Web page (step 2303), and sends the 
modified Web page data 2309 to the mark acquisKion 
program d running on the vendor terminal 1112 (step 
2304). 

The mark acquisition program d stores, via the 
WWW server 1 1 13, the Web page data sent from the 
mark management sender 1122 into the Web page DB 
1114. 

After that, when a request is entered from the con- 
sumer 1100 via the browser program 1204b running on 
the consumer terminal 1101, this Web page is sent to 
the consumer terminal 1101 and displayed on the dis- 
play unit 1102. 

On the other hand, the validity check program d 
running on the consumer terminal 1101 checks the 
valkiity of the Web page when the consumer 1100 
enters a request (for example, when the consumer 
clicks the mark). 

That is, as shown in FIG. 24. the terminal 1 101 first 
extracts a mark 2407 from a Web page 2406 to check its 
validity (step 2401) and extracts a hash value 2408 
embedded in the extracted mark 2407 as a digital 
watermark (step 2402). The terminal 1101 also calcu- 



lates a hash value 2409 of the Web page data except 
the part related to the mark whose validity is to be 
checked (step 2403) and compares the calculated hash 
value 2409 with the hash value 2408 extracted from the 

5 mark (step 2404). If they match, the terminal 11 01 dis- 
plays a message stating that the mark was validated on 
the display unit 1 102; if they do not match, the terminal 
1101 displays a message stating that the mark was not 
validated on the display unit 1 102 (step 2405). 

10 Information necessary to extract the hash value 
2408, embedded as the digital watermark, from the 
extracted mark 2407 should be obtained in advance 
from the mark management server 1 122. To do so, the 
validity check program d is designed to send a validity 

15 check confirmation information request to the mark 
management server 1122 as requested by the con- 
sumer 1 100, and store information received in response 
to the request in the menrK>ry 1204 or in the storage unit 
1202. The mark management program d running on the 

20 mark management server 1122 is also designed to 
send the required information back to the consumer ter- 
minal 1101 in response to the valkiity check confirma- 
tion information request. 

In the seventh embodiment, a mark in which the 

25 hash value of a Web page is embedded is pasted in a 
Web page instead of a simple mark. This type of mark 
enables the user to authentrcate that the mark is given 
to the Web page in which the mark is embedded. The 
Web page also contains a mark showing the related 

30 individual/organization. In addition, because the hash 
value of the Web page is used as the digital watermark, 
and always embedded into the marK the processing 
does not depend on whether a plurality of types of data 
are included in the Web page. Because the mark, usu- 

35 ally displayed in the Web page, is used to authenticate 
that the mark is given to the Web page, the seventh 
embodiment does not affect the appearance of the Web 
page. 

An eighth embodiment of this invention will be 

40 described below. 

The configuration of an authentication system used 
in the eighth embodiment is basically tiie same as that 
of the authentication system explained in the fourth 
embodiment (FIG. 9 to FIG. 13). 

45 However, in this embodiment, the consumer termi- 
nal 1 101, the mark management server 1122, and tiie 
vendor terminal 1 1 12 are replaced by the consumer ter- 
minal 1800a, the mark management server 1810a, and 
the vendor terminal 1 1 1 2a, respectively. 

50 As shown in FIG. 25, the configuration of the con- 
sumer terminal 1800a" differs In that the public key DB 
1801 explained in tiie fifth embodiment is connected, 
that the public key DB interface 1900 is provided, and 
that the validity check program A 1204c in the memory 

55 1 204 is replaced by the valktity check program e 3204. 
The mark management server 1810a also differs in 
that tiie mark management program A 1507b in tiie 
memory 1507 is replaced by ttie mark management 
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program e 3507, as shown in FIG. 26. 

The vendor terminal 111 2a also differs in that the 
mark acquisition program 1306c in the memory 1305 is 
replaced by a mark acquisition , program e 3306. as 
shown In FIG, 27. 5 

The operation of the authentication system used in 
the eighth embodiment will now be described below. 

Rrst. the mark acquisition program e 3306 running 
on the vendor terminal 1112a sends a mark-send 
request, as well as his own Web page data, to the mark io 
management server 1 81 Oa. 

Upon receiving the request the mark management 
program e 3507 running on the mark management 
sen/er 1810a checks if a mark should be sent to the 
vendor 1 1 1 0 on the vendor terminal 1 1 1 2a from which is 
the request was sent and. if it Is determined that the 
mark should be sent, performs processing shown in 
FIG. 28. 

That is, the server 1810a calculates a hash value 
2807 of Web page data 2806 sent with the mark-send 20 
request (step 2801), encrypts the hash value 2807 with 
a private key 2808 of the mark management organiza- 
tion 1121 to generate a digital signature 2809 (step 
2802). and embeds the generated digital signature 
2809 into a mark 281 0, stored in the mark management 25 
DB 11 23. as a digital watermark (step 2803). The server 
1810a then modifies the Web page data 2806 sent with 
the mark-send request so that a mark 281 1 into which 
the digital watermark was embedded is displayed in the 
Web page 2806 (step 2804). and sends modified Web 30 
page data 281 2 to the mark acquisition program e 3306 
running on the vendor terminal 1 1 12a (step 2805). 

The mark acquisition program e 3306 running on 
the vendor terminal 1 1 1 2a stores, via the WWW sender 
1 113, the Web page sent from the mark management 
server 1 81 Oa into the Web page DB 1 1 14. 

After that, when a request is entered from the con- 
sumer 1 100 via the browser program 1204b running on 
the consumer terminal 1800a, this Web page is sent to 
the consumer terminal 1800a and displayed on the dis- 
play unit 1102. 

On the other hand, the validity check program e 
3204 running on the consumer terminal 1800a checks 
the validity of the Web page when the consumer 1 100 
enters a request (for example, when the consumer 
clicks on the mark). 

That is, as shown in FIG. 29. the temninal 1 800a 
first gets a public key 2910 of the mark management 
organization 1121 from the public key DB 1801. Then, 
the terminal 1800a extracts a mark 2908 from a Web 
page 2907 to check its validity (step 2901), extracts a 
digital signature 2909 embedded in the extracted mark 
2908 as a digital watermark (step 2902), and decrypts 
the extracted digital signature using the public key 2910 
of the mark management organization 1121 to get a 
hash value 2911 (step 2903). The terminal 1800a also 
calculates a hash value 2912 of the Web page data 
except the part related to the mark 2908 whose validity 



is to be checked (step 2904), and compares the calcu- 
lated hash value 2912 with the hash value 291 1 gener- 
ated by decrypting the digital signature extracted from 
the mark 2908 (step 2905). If they match, the terminal 
1 800a displays a message on the display unit 1 102 stat- 
ing that the mark was validated; it they do not match, the 
terminal 1800a displays a message staging that the 
mark was not validated (step 2906). 

Information necessary to extract a hash value 
2911. embedded as the digital watermark, from the 
extracted mark 2908 should be obtained in advance 
from the mark management server 1810a. To do so, the 
validity check program e 3204 running on the consumer 
terminal 1 800a is designed to send a validity check con- 
firmation information request to the mark management 
server 1810a as reque;sted by the consumer 1100, and 
store information received in response to the request in 
the memory 1204 or in the storage unit 1202. The mark 
management program e 3507 running on the mark 
management server 1 81 Oa is also designed to send the 
required infomiation back to the consumer terminal 
IdOOa in response to the validity check confirmation 
information request. 

In addition, the public key 2910 of the mark man- 
agement organization 1121 received in response to a 
public key send request, issued from the consumer 
1800a to the mark management server 1810a. is stored 
in the public key DB 1801 . Upon receiving the public key 
send request, the mark management sender 1810a 
sends its own public key 291 0 back to the consumer ter- 
minal 1800a as a response. 

In the eighth embodiment described above, a mark 
in which a digital signature, generated by enaypting the 
hash value of a Web page using the private key of the 
mark management organization mark, is embedded as 
a digital watermark and is pasted in a Web page instead 
of a simple mark. This type of mark enables the authen- 
tication of the relation between the Web page and the 
mark management organization to be validated cor- 
rectly. The Web page also contains a mark showing the 
related individual/organization. In addition, because the 
digital signature for the hash value of the Web page 
data is always embedded into the mark as the digital 
watermark, the processing does not depend on whether 
a plurality of types of data are included In the Web page. 
Embedding the digital watermark into the mark in the 
Web page as the digital signature eliminates the need to 
manage the digital signature separately from the Web 
page data. Because the mark, usually displayed in the 
Web page, is used to authenticate that the mark is given 
to the Web page, the eighth embodiment does not affect 
the appearance of the Web page. 

In the sixth to eighth embodiments described 
above, the mark management server modifies the Web 
page data, sent with a mark-send request, so that the 
mark in which a digital watermark is embedded may be 
displayed in the Web page. The server then sends the 
modified Web page data to the mark acquisition pro- 
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gram e running on the vendor terminal. This processing 
may be modified as follows. 

That is, the mark management server sends a 
mark, in which a digital watermark is embedded, to the 
vendor terminal. The vendor terminal modifies the orig- 
inal of the Web page data sent with the nnark-send 
request so that the mark in which the digital watermark 
is embedded is displayed in the Web page. 

In the sixth to the eighth embodiments, processing 
on the consumer ternfunal may be modified as follows: 

That is. in the sixth embodiment, the consumer ter- 
minal extracts the mark to be validated from the Web 
page, and sends the extracted mark and a validity check 
request to the mark management server. In the seventh 
and eighth embodiments, the consumer terminal sends 
Web page data containing the mark and the validity 
check request to the mark management server. On the 
display unit of the consumer terminal there is displayed 
a successful or an unsuccessful validity check message 
sent back from the mark management server. On the 
other hand, upon receiving a validity check request, the 
mark management server performs the validity check 
on the mark in the same way as the consumer terminal 
performs in the sixth to eighth embodiments. In the sixth 
embodiment, the mark management server extracts 
information embedded in the mark sent with the 
request. If this information matches the information 
embedded by the mark management server, it sends a 
successful valkiity message to the consumer terminal; if 
not. it sends an unsuccessful validity check message to 
the consumer terminal. In the seventh embodiment, the 
mark management server extracts the mark from the 
Web page sent with the request, extracts the hash value 
embedded in the mark as the digital watermark, calcu- 
lates the hash value of the Web page except the area 
related to the mark to be validated, and compares this 
value with the hash value extracted from the mark. If 
they match, the mark management server sends a suc- 
cessful validity check message to the consumer termi- 
nal, and if not. it sends an unsuccessful message to the 
consumer terminal. In the eighth embodiment, the mark 
managennent server extracts the mark from the Web 
page sent with the request, extracts the digital signature 
embedded in the extracted mark as the digital water- 
marK and extracts the hash value by decrypting the dig- 
ital signature with a public key of the mark management 
organization. The mark management server calculates 
the hash value of the Web page data except the area 
related to the mark to be validated, and compares this 
value with the hash value generated by decrypting the 
digital signature extracted from the mark. If they match, 
the mark management server sends a successful valid- 
ity check message to the consumer terminal, and if not, 
it sends an unsuccessful message to the consumer ter- 
minal. 

The above-described sixth to eighth embodiments 
may be applied not only to Web pages but also to digital 
data to be used in various types of electronic com- 



merce. For example, when drawing data is used in vari- 
ous types of electronic commerce, vendor's marks are 
attached to drawings data to allow the validity of the 
drawings to be authenticated. As descrbed earlier, a 

5 mark need not always be image data. For example, 
when audio data is used in electronic commerce, the 
audio data representing a vendor or a copyright holder 
may be added before or after audio data, and a digital 
watermark described in the sixth to eighth embodiments 

10 may be embedded into the added audio data. 

The embodiments of this invention are described 
above. 

The programs used In each of the above-descril>ed 
err^odiments may be recorded on various types of 

IS recording media, including a floppy disk, CD-ROI^, 
DVD, and so forth for distributton to a unit on which they 
are executed. Alternatively, the programs may be down- 
loaded to the unit from some other server connected to 
the network to which the unit is connected. 

20 Each embodiment described above may be modi- 
fied in other specific forms without departing from the 
spirit or essential characteristics thereof. 

As described above, this invention provides a tech- 
nique allowing the relation between digital data and an 

25 individual/organization to be authenticated more relia- 
bly. At the same time, an Individual/organization associ- 
ated with digital data may be presented directly to the 
user so that the relation between the digital data and the 
individual/organization may be authenticated. 

30 

Claims 

1. An embed-in-content information processing 
method for processing information embedded in a 

35 content using an electronic computer, the method 
comprising the steps of: 

creating cryptographic information by encrypt- 
ing specific data using a private key in accord- 

40 ance with a public key cipher system used by 

content-handling persons; and 
embedding the created cryptographte informa- 
tion into the content such that the crypto- 
graphs information cannot be separated from 

45 the content without using a predetermined rule. 

2. An embed-in-content information processing 
method according to claim 1 , further comprising the 
steps of: 

so 

extracting the cryptographic information from 
the content in which the cryptographic informa- 
tion is embedded; and 

verifying that a result obtained by decrypting 
55 the extracted cryptographic information using a 

public key pair^ with the private kay used by 
content-handling persons matches said spe- 
cific data. 
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3. An embed-ln-content rnformation processing 
method according to claim 1 , wherein said specific 
data is made to be dependent on the content into 
which said cryptographic information is to be 
embedded in order to use a digital signature for the 5 
content as said cryptographic information, said dig- 
ital signature being used by said content-handling 
persons. 

4. An embed-in-content Information processing 10 
method according to claim 1 . further comprising the 
step of evaluating the content with a hash function 

to generate a hash value, which is a resulting eval- 
uation value, as said specific data in order to use a 
digital signature for the content as said crypto- 15 
graphic information, said digital signature beirig 
used by said content-handling persons, said step 
being executed prior to creating said cryptographic 
information. 

20 

5. An embed-in-content information processing 
method for embedding information on (k is an 
integer equal to or larger than 2) content-handling 
persons using an electronic computer, the method 
comprising the steps of: 25 

embedding a digital signature into the content 
such that the digital signature cannot be sepa- 
rated from the content without using a prede- 
termined rule, the digital signature being 30 
created by encrypting an n-bit hash value using 
a private key in accordance with a public key 
cipher system used by a first content-handling 
person, the n-bit hash value being obtained by 
aval uating the content with a first hash function; 35 
and 

sequentially repeating digital signature embed- 
ding for a second person to a k-th content-han- 
dling person, 

wherein, for an i-th content-handling 40 
person (i is an integer between 2 and k), the 
content into which the digital signatures of the 
first to an (i-1) content-handling persons are 
embedded is evaluated with a second hash 
function, wherein a resulting n^-bit hash value 45 
is enaypted using the private key of the i-th 
content-handling person to generate the digital 
signature of the i-th content-handling person, 
and wherein the digital signature of the i-th con- 
tent-handling person is embedded into the con- so 
tent in which the digital signatures of the i-th 
content-handling person from the first to the (i- 
1)th persons are already embedded such that 
the digital signature of the i-th content-handling 
person cannot be separated from the content 55 
without using a predetermined rule. 

6. An embed-in-content information processing 



method for embedding information on k (k is an 
integer equal to or larger than 2) content-handling 
persons using an electronic computer, the method 
comprising the steps of: 

creating a digital signature of a first content- 
handling person by encrypting a hash value 
using a private key in accordance with a public 
key cipher system of the first content-handling 
person, the hash value being created by evalu- 
ating the content with a first hash function; 
sequentially repeating digital signature creation 
for a second person to a k-th content-handling 
person to create the digital signatures of the 
content-handling persons; and 
embedding the digital signature of the k-th con- 
tent-handling person into the content such that 
the digital signature of the k-th content-han- 
dling person cannot be separated from the con- 
tent without using a predetermined rule, the 
digital signature of the k-th content-handling 
person being obtained by performing sakf dig- 
ital signature creation for the k-th content-han- 
dling person, wherein, during said digital 
signature creation processing for an i-th con- 
tent-handling person (i is an integer between 2 
and k). a value dependent on the digital signa- 
ture of the (i-1)th content-handling person Is 
encrypted using the private key of the i-th con- 
tent-handling person to generate the digital sig- 
nature of the (i-)th content-handling person. 

7. An embed-in-content information processing 
method according to claim 6, wherein the value 
dependent on the digital signature of the (i-l)th con- 
tent-handling person is a hash value obtained by 
evaluating the value of the digital signature of said 
(i-l)th content-handling person with a hash func- 
tion. 

8. An information autiientication method used by an 
information publisher and an information browser 
and managed by a manager ti^usted by both the 
information publisher and the information browser, 

wherein, the information publisher adds mul- 
timedia data to information published by the infor- 
mation publisher in such a way that the multimedia 
data may be validated and wherein the information 
browser checks the validity of the information 
according to whether or not tiie nuiltimedia data is 
validated. 

9. In a system in which at least one client terminal, at 
least one WWW server providing information upon 
request from said client terminal, and at least one 
mark management server managing one or more 
nnarks used by said client terminal and said WWW 
server are interconnected over a communication 



22 



BNSDOCIO: <EP ^0883284A2J_> 



43 



EP0 883 284 A2 



44 



network, a Web page authentication method, for a 
Web page published on the WWW server, the 
method comprising: 

a step of said WWW server sending a nrark- s 
send request containing a URL of the WWW 
server to said mark management server; 
a step of said WWW server pasting the nfiark 
sent back from said mark management server 
irrto the Web page of the WWW server, setting 10 
in the mark a link to said mark management 
server, and publishing the Web page contain- 
ing the mark for access by said client terminal; 
a step of said mark management server stor- 
ing, in a mark management DB, such infonna- is 
tion as to whether the mark managed by the 
mark management server has been sent; 
a step of said mark management server, upon 
receiving the mark-send request from said 
WWW server, checki ng if the WWW server sat- 20 
isfies a condition for acquiring the mark, and 
only when the condition is satisfied, updating 
said mark management DB, and then sending 
the requested mark back to the WWW server; 
a step of said mark management server, upon 25 
receiving a validity check request from said cli- 
ent terminal, referencing said mark manage- 
ment DB to verify if the requested mark is valid 
and sending a verification result back to the cli- 
ent terminal: 30 
a step of said client terminal downloading the 
Web page containing said mark from said 
WWW server; and 

a step of said client terminal sending the valid- 
ity check request including the URL of said 35 
Web page containing said mark and receiving 
the verification result. 

10. In a system in which at least one client terminal, at 
least one WWW server providing information upon 40 
request from said client terminal, and at least one 
mark management server managing one or more 
marks used by said client terminal and said WWW 
server are interconnected over a communication 
network, a Web page authentication method, for a 45 
Web page published on the WWW server, the 
method comprising: 

a step of said WWW server sending a mark- 
send request containing a URL of the WWW so 
server to said mark management server; 
a step of said WWW server pasting a signa- 
ture-containing mark sent back from said mark 
management server into the Web page of the 
WWW server and publishing the Web page ss 
containing the signature-containing mark for 
access by said dient terminal; 
a step of said mark management sender stor* 



ing, in a mark management DB, such informa- 
tion as to whether the mark managed by the 
mark management server has been sent; 
a step of sakl mark management server, upon 
receiving a public key send request from said 
client terminal, sending back a public key of the 
mark management server to said dient temni- 
nai; 

a step of sakl mark management sender, upon 
receiving the mark-send request from said 
WWW server, checking if the WWW sender sat- 
isfies a condition for acquiring the mark, and 
only when the condition is satisfied, updating 
said mark management DB, adding a digital 
signature to WWW server's URL data con- 
tained in said request to generate a signature- 
containing mark, and then sending the signa- 
ture-containing mark back to the WWW sender; 
a step of said client terminal sending a public 
key send-request to said mark management 
server; 

a step of said client terminal storing in a public 
key DB the public key sent back from said mark 
management server; 

a step of said client terminal downloading from 
said WWW server a Web page in which said 
mark is pasted; and 

a step of said client terminal referencing said 
pubic key DB to verify the signature contained 
in the downloaded Web page in which sakJ 
mark Is pasted. 

11. A Web page authentication method according to 
daim 10, wherein the signature-containing mark is 
generated not only for the URL data of said WWW 
sen/er but also for image data of the mark to gener- 
ate the signatureK^ontaining mark from the mark 
and the signature. 

12. A Web page authentication method according to 
daim 10, wherein the signature-containing mark is 
generated for the Web page to generate the signa- 
ture-containing mark from the mark and the signa- 
ture. 

13. A Web page authentication method according to 
daim 10, wherein not only the mark and the signa- 
ture but also attribute information associated with 
the system is used as a oomponent of the signa- 
ture-containing mark. 

14. A method for creating authenticataWe digital data 
including authentication data for authenticating the 
digital data using an electronic computer, the 
method comprising the steps of: 

generating mark data recognizable by a user 
when the user uses the digital data; 
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generating wafermark-embeckled niark data 
into which specific information is embedded as 
a digital watermark; and 
including the watermark-embedded mark data 
into said digital data to generate said authentic 
eatable digital data. 

15. A method for aeating authenticatable digital data 
according to claim 14. wherein said specific Infor- 
mation is a first hash value generated by evaluating 
said digital data with a predetermined hash tunc-, 
tion. 

16. A method for creating authenticatable digital data 
according to claim 14, wherein said specific Infor- 
mation is a digital signature generated by evaluat- 
ing said digital data with a predetermined function 
to obtain a first evaluation value and then by 
encrypting the first evaluation value with a private 
key according to a predetermined public key cipher. 

17. A method for creating authenticatable digital data 
according to daim 14, further comprising the steps 
of: 

extracting said mark data from said authenti- 
catable digital data; 

extracting from said extracted mark data said 
specific information included as the digital 
watermark; and 

authenticating the digital data based on the 
extracted information. 

18. A method for creating authenticatable digital data 
according to claim 15, further comprising the steps 
off: 

extracting said mark data from said authenti- 
catable digital data; 

extracting from said extracted mark data the 
first hash value included as the digital water- 
mark; 

calculating a second hash value by evaluating 
' said digital data with said predetermined hash 
function based on said authenticatable digital 
data; and 

judging that the digital data is successfully 
authenticated when the extracted first hash 
value matches the calculated second hash 
value. 

19. A method for creating authenticatable digital data 
according to claim 16, further comprising the steps 
of: 

extracting said mark data from said authenti- 
catable digital data; 

extracting from said extracted mark data the 
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digital signature embedded as the digital water- 
mark; 

extracting the first evaluation value obtained by 
decrypting the extracted digital signature with a 
5 public key con-espondlng to said private key; 

calculating a second evaluation value by evalu- 
ating said digital data with said predetermined 
function based on said authenticatable digital 
data; and 

10 judging that the digital data is successfully 

authenticated when the extracted first hash 
value nnatches the calculated second hash 
value. 
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(54) Digital data authentication method 

(57) This invention provides a method for identifying 
a purchaser who purchased content from which an ille- 
gal copy was produced. A provider system (100) 
encrypts a content purchased by the purchaser using a 
public key of a purchaser system (200) and sends the 
encrypted content to the purchaser system. The pur- 
chaser system 200 creates a digital signature of the 
content with the use of a private key of its own and 
embeds the created digital signature into the received 
content. When an illegal copy is found, the provider sys- 
tem 100 verifies the digital signature, embedded in the 
illegal copy as a digital watermark, to kientify the pur- 
chaser who purchased the content from which the ille- 
gal copy was produced. 
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